{"id":"CVE-2021-3491","details":"The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc/\u003cPID\u003e/mem. This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was addressed via commit d1f82808877b (\"io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers\") (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced in ddf0322db79c (\"io_uring: add IORING_OP_PROVIDE_BUFFERS\") (v5.7-rc1).","aliases":["A-190877100","PUB-A-190877100"],"modified":"2026-03-15T22:40:58.319788Z","published":"2021-06-04T02:15:07.253Z","related":["MGASA-2021-0214","MGASA-2021-0215","SUSE-SU-2021:1887-1","SUSE-SU-2021:1888-1","SUSE-SU-2021:1889-1","SUSE-SU-2021:1890-1","SUSE-SU-2021:1891-1","SUSE-SU-2021:1899-1","SUSE-SU-2021:1912-1","SUSE-SU-2021:1913-1","SUSE-SU-2021:1975-1","SUSE-SU-2021:1977-1","SUSE-SU-2021:2208-1","SUSE-SU-2021:2421-1","openSUSE-SU-2021:0843-1","openSUSE-SU-2021:0947-1","openSUSE-SU-2021:1975-1","openSUSE-SU-2021:1977-1","openSUSE-SU-2024:10728-1","openSUSE-SU-2024:13704-1"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-4949-1"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-4950-1"},{"type":"ADVISORY","url":"https://www.zerodayinitiative.com/advisories/ZDI-21-589/"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20210716-0004/"},{"type":"FIX","url":"https://www.openwall.com/lists/oss-security/2021/05/11/13"},{"type":"FIX","url":"https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d1f82808877bb10d3deee7cf3374a4eb3fb582db"}],"affected":[{"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"5.7"},{"fixed":"5.10.37"}]},{"events":[{"introduced":"5.11"},{"fixed":"5.11.21"}]},{"events":[{"introduced":"5.12"},{"fixed":"5.12.4"}]},{"events":[{"introduced":"0"},{"last_affected":"20.04"}]},{"events":[{"introduced":"0"},{"last_affected":"20.10"}]},{"events":[{"introduced":"0"},{"last_affected":"21.04"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-3491.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}]}