Cyber Resilience

CVE-2021-3560

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 16 February 2022

Published
16 February 2022
Modified
06 November 2025
KEV Added
12 May 2023
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1041 93.4th percentile
Risk Priority 42 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-3560 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 6.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2021-3560 is a privilege escalation flaw in polkit that allows the component to be tricked into bypassing credential checks for D-Bus requests. Successful exploitation elevates the privileges of the requestor to the root user. The vulnerability is tracked under CWE-863 and CWE-754 and carries a CVSS 3.1 base score of 7.8.

An unprivileged local attacker can exploit the issue to perform actions such as creating a new local administrator account. The attack requires local access, low attack complexity, and no user interaction, resulting in high impact to confidentiality, integrity, and availability.

Public references, including a Red Hat Bugzilla entry and a detailed analysis on the GitHub Security Lab blog, discuss the flaw and link to related proof-of-concept material on Packet Storm.

EU & UK References

Vulnerability details

It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, create…

more

a new local administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

CWE(s)
KEV Date Added
12 May 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

polkit project
polkit
≤ 0.119
debian
debian linux
11.0
canonical
ubuntu linux
20.04
redhat
virtualization
4.0
redhat
virtualization host
4.0
redhat
openshift container platform
4.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces credential-based access decisions for D-Bus requests, preventing the exact bypass that allows unauthorized privilege elevation to root.

prevent

Limits privileges assigned to processes and users so that even a successful polkit bypass cannot trivially grant full root/administrator rights.

prevent

Requires reliable identification and authentication of the requestor before any privileged D-Bus operation is authorized by polkit.

References