Cyber Resilience

CVE-2021-3939

HighPublic PoC

Published: 17 November 2021

Published
17 November 2021
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0012 31.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-3939 is a high-severity Free of Memory not on the Heap (CWE-590) vulnerability in Canonical Accountsservice. Its CVSS base score is 7.8 (High).

Operationally, ranked at the 31.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

Ubuntu-specific modifications to accountsservice (in patch file debian/patches/0010-set-language.patch) caused the fallback_locale variable, pointing to static storage, to be freed, in the user_change_language_authorized_cb function. This is reachable via the SetLanguage dbus function. This is fixed in versions 0.6.55-0ubuntu12~20.04.5, 0.6.55-0ubuntu13.3, 0.6.55-0ubuntu14.1.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

canonical
accountsservice
0.6.55-0ubuntu12\~20.04 — 0.6.55-0ubuntu12\~20.05 · 0.6.55-0ubuntu13 — 0.6.55-0ubuntu13.3 · 0.6.55-0ubuntu14 — 0.6.55-0ubuntu14.1
canonical
ubuntu linux
20.04, 21.04, 21.10

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References