CVE-2021-27645

The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c.

Weakness

The product calls free() twice on the same memory address.

Affected Software

Name	Vendor	Start Version	End Version
Glibc	Gnu	2.29 (including)	2.33 (including)
Red Hat Enterprise Linux 8	RedHat	glibc-0:2.28-164.el8	*
Red Hat Enterprise Linux 8	RedHat	glibc-0:2.28-164.el8	*
Eglibc	Ubuntu	trusty	*
Glibc	Ubuntu	esm-infra/focal	*
Glibc	Ubuntu	focal	*
Glibc	Ubuntu	groovy	*
Glibc	Ubuntu	trusty	*
Glibc	Ubuntu	xenial	*

Potential Mitigations

References

https://lists.debian.org/debian-lts-announce/2022/10/msg00021.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7LZNT6KTMCCWPWXEOGSHD3YLYZKUGMH5/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I7TS26LIZSOBLGJEZMJX4PXT5BQDE2WS/
https://security.gentoo.org/glsa/202107-07
https://sourceware.org/bugzilla/show_bug.cgi?id=27462
https://lists.debian.org/debian-lts-announce/2022/10/msg00021.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7LZNT6KTMCCWPWXEOGSHD3YLYZKUGMH5/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I7TS26LIZSOBLGJEZMJX4PXT5BQDE2WS/
https://security.gentoo.org/glsa/202107-07
https://sourceware.org/bugzilla/show_bug.cgi?id=27462

NVD	https://nvd.nist.gov/vuln/detail/CVE-2021-27645
CWE	https://cwe.mitre.org/data/definitions/415.html

Double Free

Weakness

Affected Software

Potential Mitigations

References