CVE-2021-4440

In the Linux kernel, the following vulnerability has been resolved:

x86/xen: Drop USERGS_SYSRET64 paravirt call

commit afd30525a659ac0ae0904f0cb4a2ca75522c3123 upstream.

USERGS_SYSRET64 is used to return from a syscall via SYSRET, but a Xen PV guest will nevertheless use the IRET hypercall, as there is no sysret PV hypercall defined.

So instead of testing all the prerequisites for doing a sysret and then mangling the stack for Xen PV again for doing an iret just use the iret exit from the beginning.

This can easily be done via an ALTERNATIVE like it is done for the sysenter compat case already.

It should be noted that this drops the optimization in Xen for not restoring a few registers when returning to user mode, but it seems as if the saved instructions in the kernel more than compensate for this drop (a kernel build in a Xen PV guest was slightly faster with this patch applied).

While at it remove the stale sysret32 remnants.

[ pawan: Brad Spengler and Salvatore Bonaccorso carnil@debian.org reported a problem with the 5.10 backport commit edc702b4a820 (x86/entry_64: Add VERW just before userspace transition).

   When CONFIG_PARAVIRT_XXL=y, CLEAR_CPU_BUFFERS is not executed in
   syscall_return_via_sysret path as USERGS_SYSRET64 is runtime
   patched to:

.cpu_usergs_sysret64    = { 0x0f, 0x01, 0xf8,
			    0x48, 0x0f, 0x07 }, // swapgs; sysretq

   which is missing CLEAR_CPU_BUFFERS. It turns out dropping
   USERGS_SYSRET64 simplifies the code, allowing CLEAR_CPU_BUFFERS
   to be explicitly added to syscall_return_via_sysret path. Below
   is with CONFIG_PARAVIRT_XXL=y and this patch applied:

   syscall_return_via_sysret:
   ...
   <+342>:   swapgs
   <+345>:   xchg   %ax,%ax
   <+347>:   verw   -0x1a2(%rip)  <------
   <+354>:   sysretq

]

Weakness

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

Affected Software

Name	Vendor	Start Version	End Version
Linux_kernel	Linux	5.10.215 (including)	5.10.218 (excluding)
Linux	Ubuntu	bionic	*
Linux	Ubuntu	esm-infra-legacy/trusty	*
Linux	Ubuntu	esm-infra/bionic	*
Linux	Ubuntu	esm-infra/focal	*
Linux	Ubuntu	esm-infra/xenial	*
Linux	Ubuntu	focal	*
Linux	Ubuntu	trusty	*
Linux	Ubuntu	trusty/esm	*
Linux	Ubuntu	xenial	*
Linux-allwinner-5.19	Ubuntu	jammy	*
Linux-allwinner-5.19	Ubuntu	upstream	*
Linux-aws	Ubuntu	bionic	*
Linux-aws	Ubuntu	esm-infra-legacy/trusty	*
Linux-aws	Ubuntu	esm-infra/bionic	*
Linux-aws	Ubuntu	esm-infra/focal	*
Linux-aws	Ubuntu	esm-infra/xenial	*
Linux-aws	Ubuntu	focal	*
Linux-aws	Ubuntu	trusty	*
Linux-aws	Ubuntu	trusty/esm	*
Linux-aws	Ubuntu	upstream	*
Linux-aws	Ubuntu	xenial	*
Linux-aws-5.0	Ubuntu	bionic	*
Linux-aws-5.0	Ubuntu	esm-infra/bionic	*
Linux-aws-5.0	Ubuntu	upstream	*
Linux-aws-5.11	Ubuntu	esm-infra/focal	*
Linux-aws-5.11	Ubuntu	focal	*
Linux-aws-5.11	Ubuntu	upstream	*
Linux-aws-5.13	Ubuntu	esm-infra/focal	*
Linux-aws-5.13	Ubuntu	focal	*
Linux-aws-5.13	Ubuntu	upstream	*
Linux-aws-5.15	Ubuntu	upstream	*
Linux-aws-5.19	Ubuntu	jammy	*
Linux-aws-5.19	Ubuntu	upstream	*
Linux-aws-5.3	Ubuntu	bionic	*
Linux-aws-5.3	Ubuntu	esm-infra/bionic	*
Linux-aws-5.3	Ubuntu	upstream	*
Linux-aws-5.4	Ubuntu	bionic	*
Linux-aws-5.4	Ubuntu	esm-infra/bionic	*
Linux-aws-5.4	Ubuntu	upstream	*
Linux-aws-5.8	Ubuntu	esm-infra/focal	*
Linux-aws-5.8	Ubuntu	focal	*
Linux-aws-5.8	Ubuntu	upstream	*
Linux-aws-6.14	Ubuntu	upstream	*
Linux-aws-6.2	Ubuntu	jammy	*
Linux-aws-6.2	Ubuntu	upstream	*
Linux-aws-6.5	Ubuntu	upstream	*
Linux-aws-6.8	Ubuntu	upstream	*
Linux-aws-fips	Ubuntu	fips-updates/bionic	*
Linux-aws-fips	Ubuntu	fips-updates/focal	*
Linux-aws-fips	Ubuntu	fips/bionic	*
Linux-aws-fips	Ubuntu	fips/focal	*
Linux-aws-fips	Ubuntu	trusty	*
Linux-aws-fips	Ubuntu	upstream	*
Linux-aws-fips	Ubuntu	xenial	*
Linux-aws-hwe	Ubuntu	esm-infra/xenial	*
Linux-aws-hwe	Ubuntu	upstream	*
Linux-aws-hwe	Ubuntu	xenial	*
Linux-azure	Ubuntu	bionic	*
Linux-azure	Ubuntu	esm-infra-legacy/trusty	*
Linux-azure	Ubuntu	esm-infra/bionic	*
Linux-azure	Ubuntu	esm-infra/focal	*
Linux-azure	Ubuntu	esm-infra/xenial	*
Linux-azure	Ubuntu	focal	*
Linux-azure	Ubuntu	trusty	*
Linux-azure	Ubuntu	trusty/esm	*
Linux-azure	Ubuntu	upstream	*
Linux-azure	Ubuntu	xenial	*
Linux-azure-4.15	Ubuntu	bionic	*
Linux-azure-4.15	Ubuntu	esm-infra/bionic	*
Linux-azure-4.15	Ubuntu	upstream	*
Linux-azure-5.11	Ubuntu	esm-infra/focal	*
Linux-azure-5.11	Ubuntu	focal	*
Linux-azure-5.11	Ubuntu	upstream	*
Linux-azure-5.13	Ubuntu	esm-infra/focal	*
Linux-azure-5.13	Ubuntu	focal	*
Linux-azure-5.13	Ubuntu	upstream	*
Linux-azure-5.15	Ubuntu	upstream	*
Linux-azure-5.19	Ubuntu	jammy	*
Linux-azure-5.19	Ubuntu	upstream	*
Linux-azure-5.3	Ubuntu	bionic	*
Linux-azure-5.3	Ubuntu	esm-infra/bionic	*
Linux-azure-5.3	Ubuntu	upstream	*
Linux-azure-5.4	Ubuntu	bionic	*
Linux-azure-5.4	Ubuntu	esm-infra/bionic	*
Linux-azure-5.4	Ubuntu	upstream	*
Linux-azure-5.8	Ubuntu	esm-infra/focal	*
Linux-azure-5.8	Ubuntu	focal	*
Linux-azure-5.8	Ubuntu	upstream	*
Linux-azure-6.11	Ubuntu	upstream	*
Linux-azure-6.2	Ubuntu	jammy	*
Linux-azure-6.2	Ubuntu	upstream	*
Linux-azure-6.5	Ubuntu	upstream	*
Linux-azure-6.8	Ubuntu	upstream	*
Linux-azure-edge	Ubuntu	bionic	*
Linux-azure-edge	Ubuntu	esm-infra/bionic	*
Linux-azure-edge	Ubuntu	upstream	*
Linux-azure-fde	Ubuntu	esm-infra/focal	*
Linux-azure-fde	Ubuntu	focal	*
Linux-azure-fde	Ubuntu	upstream	*
Linux-azure-fde-5.15	Ubuntu	esm-infra/focal	*
Linux-azure-fde-5.15	Ubuntu	focal	*
Linux-azure-fde-5.15	Ubuntu	upstream	*
Linux-azure-fde-5.19	Ubuntu	jammy	*
Linux-azure-fde-5.19	Ubuntu	upstream	*
Linux-azure-fde-6.2	Ubuntu	jammy	*
Linux-azure-fde-6.2	Ubuntu	upstream	*
Linux-azure-fips	Ubuntu	fips-updates/bionic	*
Linux-azure-fips	Ubuntu	fips-updates/focal	*
Linux-azure-fips	Ubuntu	fips/bionic	*
Linux-azure-fips	Ubuntu	fips/focal	*
Linux-azure-fips	Ubuntu	trusty	*
Linux-azure-fips	Ubuntu	upstream	*
Linux-azure-fips	Ubuntu	xenial	*
Linux-azure-nvidia	Ubuntu	upstream	*
Linux-bluefield	Ubuntu	esm-infra/focal	*
Linux-bluefield	Ubuntu	focal	*
Linux-bluefield	Ubuntu	upstream	*
Linux-fips	Ubuntu	fips-updates/bionic	*
Linux-fips	Ubuntu	fips-updates/focal	*
Linux-fips	Ubuntu	fips-updates/xenial	*
Linux-fips	Ubuntu	fips/bionic	*
Linux-fips	Ubuntu	fips/focal	*
Linux-fips	Ubuntu	fips/xenial	*
Linux-fips	Ubuntu	upstream	*
Linux-gcp	Ubuntu	bionic	*
Linux-gcp	Ubuntu	esm-infra/bionic	*
Linux-gcp	Ubuntu	esm-infra/focal	*
Linux-gcp	Ubuntu	esm-infra/xenial	*
Linux-gcp	Ubuntu	focal	*
Linux-gcp	Ubuntu	upstream	*
Linux-gcp	Ubuntu	xenial	*
Linux-gcp-4.15	Ubuntu	bionic	*
Linux-gcp-4.15	Ubuntu	esm-infra/bionic	*
Linux-gcp-4.15	Ubuntu	upstream	*
Linux-gcp-5.11	Ubuntu	esm-infra/focal	*
Linux-gcp-5.11	Ubuntu	focal	*
Linux-gcp-5.11	Ubuntu	upstream	*
Linux-gcp-5.13	Ubuntu	esm-infra/focal	*
Linux-gcp-5.13	Ubuntu	focal	*
Linux-gcp-5.13	Ubuntu	upstream	*
Linux-gcp-5.15	Ubuntu	upstream	*
Linux-gcp-5.19	Ubuntu	jammy	*
Linux-gcp-5.19	Ubuntu	upstream	*
Linux-gcp-5.3	Ubuntu	bionic	*
Linux-gcp-5.3	Ubuntu	esm-infra/bionic	*
Linux-gcp-5.3	Ubuntu	upstream	*
Linux-gcp-5.4	Ubuntu	bionic	*
Linux-gcp-5.4	Ubuntu	esm-infra/bionic	*
Linux-gcp-5.4	Ubuntu	upstream	*
Linux-gcp-5.8	Ubuntu	esm-infra/focal	*
Linux-gcp-5.8	Ubuntu	focal	*
Linux-gcp-5.8	Ubuntu	upstream	*
Linux-gcp-6.11	Ubuntu	upstream	*
Linux-gcp-6.14	Ubuntu	upstream	*
Linux-gcp-6.2	Ubuntu	jammy	*
Linux-gcp-6.2	Ubuntu	upstream	*
Linux-gcp-6.5	Ubuntu	upstream	*
Linux-gcp-6.8	Ubuntu	upstream	*
Linux-gcp-fips	Ubuntu	fips-updates/bionic	*
Linux-gcp-fips	Ubuntu	fips-updates/focal	*
Linux-gcp-fips	Ubuntu	fips/bionic	*
Linux-gcp-fips	Ubuntu	fips/focal	*
Linux-gcp-fips	Ubuntu	trusty	*
Linux-gcp-fips	Ubuntu	upstream	*
Linux-gcp-fips	Ubuntu	xenial	*
Linux-gke	Ubuntu	esm-infra/focal	*
Linux-gke	Ubuntu	focal	*
Linux-gke	Ubuntu	upstream	*
Linux-gke	Ubuntu	xenial	*
Linux-gke-4.15	Ubuntu	bionic	*
Linux-gke-4.15	Ubuntu	esm-infra/bionic	*
Linux-gke-4.15	Ubuntu	upstream	*
Linux-gke-5.15	Ubuntu	esm-infra/focal	*
Linux-gke-5.15	Ubuntu	focal	*
Linux-gke-5.15	Ubuntu	upstream	*
Linux-gke-5.4	Ubuntu	bionic	*
Linux-gke-5.4	Ubuntu	esm-infra/bionic	*
Linux-gke-5.4	Ubuntu	upstream	*
Linux-gkeop	Ubuntu	esm-infra/focal	*
Linux-gkeop	Ubuntu	focal	*
Linux-gkeop	Ubuntu	upstream	*
Linux-gkeop-5.15	Ubuntu	upstream	*
Linux-gkeop-5.4	Ubuntu	bionic	*
Linux-gkeop-5.4	Ubuntu	esm-infra/bionic	*
Linux-gkeop-5.4	Ubuntu	upstream	*
Linux-hwe	Ubuntu	bionic	*
Linux-hwe	Ubuntu	esm-infra/bionic	*
Linux-hwe	Ubuntu	esm-infra/xenial	*
Linux-hwe	Ubuntu	upstream	*
Linux-hwe	Ubuntu	xenial	*
Linux-hwe-5.11	Ubuntu	esm-infra/focal	*
Linux-hwe-5.11	Ubuntu	focal	*
Linux-hwe-5.11	Ubuntu	upstream	*
Linux-hwe-5.13	Ubuntu	esm-infra/focal	*
Linux-hwe-5.13	Ubuntu	focal	*
Linux-hwe-5.13	Ubuntu	upstream	*
Linux-hwe-5.15	Ubuntu	upstream	*
Linux-hwe-5.19	Ubuntu	jammy	*
Linux-hwe-5.19	Ubuntu	upstream	*
Linux-hwe-5.4	Ubuntu	bionic	*
Linux-hwe-5.4	Ubuntu	esm-infra/bionic	*
Linux-hwe-5.4	Ubuntu	upstream	*
Linux-hwe-5.8	Ubuntu	esm-infra/focal	*
Linux-hwe-5.8	Ubuntu	focal	*
Linux-hwe-5.8	Ubuntu	upstream	*
Linux-hwe-6.11	Ubuntu	upstream	*
Linux-hwe-6.14	Ubuntu	upstream	*
Linux-hwe-6.2	Ubuntu	jammy	*
Linux-hwe-6.2	Ubuntu	upstream	*
Linux-hwe-6.5	Ubuntu	upstream	*
Linux-hwe-6.8	Ubuntu	upstream	*
Linux-hwe-edge	Ubuntu	bionic	*
Linux-hwe-edge	Ubuntu	esm-infra/bionic	*
Linux-hwe-edge	Ubuntu	esm-infra/xenial	*
Linux-hwe-edge	Ubuntu	upstream	*
Linux-hwe-edge	Ubuntu	xenial	*
Linux-ibm	Ubuntu	esm-infra/focal	*
Linux-ibm	Ubuntu	focal	*
Linux-ibm	Ubuntu	mantic	*
Linux-ibm	Ubuntu	upstream	*
Linux-ibm-5.15	Ubuntu	upstream	*
Linux-ibm-5.4	Ubuntu	bionic	*
Linux-ibm-5.4	Ubuntu	esm-infra/bionic	*
Linux-ibm-5.4	Ubuntu	upstream	*
Linux-ibm-6.8	Ubuntu	upstream	*
Linux-intel	Ubuntu	upstream	*
Linux-intel-5.13	Ubuntu	esm-infra/focal	*
Linux-intel-5.13	Ubuntu	focal	*
Linux-intel-5.13	Ubuntu	upstream	*
Linux-intel-iot-realtime	Ubuntu	jammy	*
Linux-intel-iot-realtime	Ubuntu	upstream	*
Linux-intel-iotg	Ubuntu	upstream	*
Linux-intel-iotg-5.15	Ubuntu	upstream	*
Linux-iot	Ubuntu	esm-infra/focal	*
Linux-iot	Ubuntu	focal	*
Linux-iot	Ubuntu	upstream	*
Linux-kvm	Ubuntu	bionic	*
Linux-kvm	Ubuntu	esm-infra/bionic	*
Linux-kvm	Ubuntu	esm-infra/focal	*
Linux-kvm	Ubuntu	esm-infra/xenial	*
Linux-kvm	Ubuntu	focal	*
Linux-kvm	Ubuntu	upstream	*
Linux-kvm	Ubuntu	xenial	*
Linux-laptop	Ubuntu	upstream	*
Linux-lowlatency	Ubuntu	upstream	*
Linux-lowlatency-hwe-5.15	Ubuntu	upstream	*
Linux-lowlatency-hwe-5.19	Ubuntu	jammy	*
Linux-lowlatency-hwe-5.19	Ubuntu	upstream	*
Linux-lowlatency-hwe-6.11	Ubuntu	upstream	*
Linux-lowlatency-hwe-6.2	Ubuntu	jammy	*
Linux-lowlatency-hwe-6.2	Ubuntu	upstream	*
Linux-lowlatency-hwe-6.5	Ubuntu	upstream	*
Linux-lowlatency-hwe-6.8	Ubuntu	upstream	*
Linux-lts-xenial	Ubuntu	esm-infra-legacy/trusty	*
Linux-lts-xenial	Ubuntu	trusty	*
Linux-lts-xenial	Ubuntu	trusty/esm	*
Linux-lts-xenial	Ubuntu	upstream	*
Linux-nvidia	Ubuntu	upstream	*
Linux-nvidia-6.11	Ubuntu	upstream	*
Linux-nvidia-6.2	Ubuntu	jammy	*
Linux-nvidia-6.2	Ubuntu	upstream	*
Linux-nvidia-6.5	Ubuntu	upstream	*
Linux-nvidia-6.8	Ubuntu	upstream	*
Linux-nvidia-lowlatency	Ubuntu	upstream	*
Linux-nvidia-tegra	Ubuntu	upstream	*
Linux-nvidia-tegra-5.15	Ubuntu	upstream	*
Linux-nvidia-tegra-igx	Ubuntu	upstream	*
Linux-oem	Ubuntu	bionic	*
Linux-oem	Ubuntu	esm-infra/bionic	*
Linux-oem	Ubuntu	upstream	*
Linux-oem	Ubuntu	xenial	*
Linux-oem-5.10	Ubuntu	esm-infra/focal	*
Linux-oem-5.10	Ubuntu	focal	*
Linux-oem-5.10	Ubuntu	upstream	*
Linux-oem-5.13	Ubuntu	esm-infra/focal	*
Linux-oem-5.13	Ubuntu	focal	*
Linux-oem-5.13	Ubuntu	upstream	*
Linux-oem-5.14	Ubuntu	esm-infra/focal	*
Linux-oem-5.14	Ubuntu	focal	*
Linux-oem-5.14	Ubuntu	upstream	*
Linux-oem-5.17	Ubuntu	jammy	*
Linux-oem-5.17	Ubuntu	upstream	*
Linux-oem-5.6	Ubuntu	esm-infra/focal	*
Linux-oem-5.6	Ubuntu	focal	*
Linux-oem-5.6	Ubuntu	upstream	*
Linux-oem-6.0	Ubuntu	jammy	*
Linux-oem-6.0	Ubuntu	upstream	*
Linux-oem-6.1	Ubuntu	jammy	*
Linux-oem-6.1	Ubuntu	upstream	*
Linux-oem-6.11	Ubuntu	upstream	*
Linux-oem-6.14	Ubuntu	upstream	*
Linux-oem-6.5	Ubuntu	upstream	*
Linux-oem-6.8	Ubuntu	upstream	*
Linux-oracle	Ubuntu	bionic	*
Linux-oracle	Ubuntu	esm-infra/bionic	*
Linux-oracle	Ubuntu	esm-infra/focal	*
Linux-oracle	Ubuntu	esm-infra/xenial	*
Linux-oracle	Ubuntu	focal	*
Linux-oracle	Ubuntu	upstream	*
Linux-oracle	Ubuntu	xenial	*
Linux-oracle-5.0	Ubuntu	bionic	*
Linux-oracle-5.0	Ubuntu	esm-infra/bionic	*
Linux-oracle-5.0	Ubuntu	upstream	*
Linux-oracle-5.11	Ubuntu	esm-infra/focal	*
Linux-oracle-5.11	Ubuntu	focal	*
Linux-oracle-5.11	Ubuntu	upstream	*
Linux-oracle-5.13	Ubuntu	esm-infra/focal	*
Linux-oracle-5.13	Ubuntu	focal	*
Linux-oracle-5.13	Ubuntu	upstream	*
Linux-oracle-5.15	Ubuntu	upstream	*
Linux-oracle-5.3	Ubuntu	bionic	*
Linux-oracle-5.3	Ubuntu	esm-infra/bionic	*
Linux-oracle-5.3	Ubuntu	upstream	*
Linux-oracle-5.4	Ubuntu	bionic	*
Linux-oracle-5.4	Ubuntu	esm-infra/bionic	*
Linux-oracle-5.4	Ubuntu	upstream	*
Linux-oracle-5.8	Ubuntu	esm-infra/focal	*
Linux-oracle-5.8	Ubuntu	focal	*
Linux-oracle-5.8	Ubuntu	upstream	*
Linux-oracle-6.14	Ubuntu	upstream	*
Linux-oracle-6.5	Ubuntu	upstream	*
Linux-oracle-6.8	Ubuntu	upstream	*
Linux-raspi	Ubuntu	esm-infra/focal	*
Linux-raspi	Ubuntu	focal	*
Linux-raspi	Ubuntu	upstream	*
Linux-raspi-5.4	Ubuntu	bionic	*
Linux-raspi-5.4	Ubuntu	esm-infra/bionic	*
Linux-raspi-5.4	Ubuntu	upstream	*
Linux-raspi-realtime	Ubuntu	noble	*
Linux-raspi-realtime	Ubuntu	upstream	*
Linux-raspi2	Ubuntu	bionic	*
Linux-raspi2	Ubuntu	esm-infra/focal	*
Linux-raspi2	Ubuntu	focal	*
Linux-raspi2	Ubuntu	upstream	*
Linux-raspi2	Ubuntu	xenial	*
Linux-realtime	Ubuntu	jammy	*
Linux-realtime	Ubuntu	upstream	*
Linux-realtime-6.14	Ubuntu	upstream	*
Linux-realtime-6.8	Ubuntu	upstream	*
Linux-riscv	Ubuntu	esm-infra/focal	*
Linux-riscv	Ubuntu	focal	*
Linux-riscv	Ubuntu	jammy	*
Linux-riscv	Ubuntu	upstream	*
Linux-riscv-5.11	Ubuntu	esm-infra/focal	*
Linux-riscv-5.11	Ubuntu	focal	*
Linux-riscv-5.11	Ubuntu	upstream	*
Linux-riscv-5.15	Ubuntu	upstream	*
Linux-riscv-5.19	Ubuntu	jammy	*
Linux-riscv-5.19	Ubuntu	upstream	*
Linux-riscv-5.8	Ubuntu	esm-infra/focal	*
Linux-riscv-5.8	Ubuntu	focal	*
Linux-riscv-5.8	Ubuntu	upstream	*
Linux-riscv-6.14	Ubuntu	upstream	*
Linux-riscv-6.5	Ubuntu	upstream	*
Linux-riscv-6.8	Ubuntu	upstream	*
Linux-starfive	Ubuntu	upstream	*
Linux-starfive-5.19	Ubuntu	jammy	*
Linux-starfive-5.19	Ubuntu	upstream	*
Linux-starfive-6.2	Ubuntu	jammy	*
Linux-starfive-6.2	Ubuntu	upstream	*
Linux-starfive-6.5	Ubuntu	upstream	*
Linux-xilinx-zynqmp	Ubuntu	esm-infra/focal	*
Linux-xilinx-zynqmp	Ubuntu	focal	*
Linux-xilinx-zynqmp	Ubuntu	upstream	*

Extended Description

Limited resources include memory, file system storage, database connection pool entries, and CPU. If an attacker can trigger the allocation of these limited resources, but the number or size of the resources is not controlled, then the attacker could cause a denial of service that consumes all available resources. This would prevent valid users from accessing the product, and it could potentially have an impact on the surrounding environment. For example, a memory exhaustion attack against an application could slow down the application as well as its host operating system. There are at least three distinct scenarios which can commonly lead to resource exhaustion:

Resource exhaustion problems are often result due to an incorrect implementation of the following situations:

Potential Mitigations

Mitigation of resource exhaustion attacks requires that the target system either:
The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
The second solution is simply difficult to effectively institute – and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.

NVD	https://nvd.nist.gov/vuln/detail/CVE-2021-4440
CWE	https://cwe.mitre.org/data/definitions/400.html

Uncontrolled Resource Consumption

Weakness

Affected Software

Extended Description

Potential Mitigations

References

CVE-2021-4440

Uncontrolled Resource Consumption

Weakness

Affected Software

Extended Description

Potential Mitigations

Related Attack Patterns

References