Vulnerabilities > CVE-2021-3939 - Release of Invalid Pointer or Reference vulnerability in Canonical Accountsservice and Ubuntu Linux

CVSS 7.8 - HIGH

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

local

low complexity

canonical

CWE-763

NVD

Published: 2021-11-17

Updated: 2023-06-12

Summary

Ubuntu-specific modifications to accountsservice (in patch file debian/patches/0010-set-language.patch) caused the fallback_locale variable, pointing to static storage, to be freed, in the user_change_language_authorized_cb function. This is reachable via the SetLanguage dbus function. This is fixed in versions 0.6.55-0ubuntu12~20.04.5, 0.6.55-0ubuntu13.3, 0.6.55-0ubuntu14.1.

Vulnerable Configurations

Part	Description	Count
Application	Canonical Canonical Accountsservice 0.6.55-0Ubuntu12\~20.04 Canonical Accountsservice 0.6.55-0Ubuntu12\~20.04.6 Canonical Accountsservice 0.6.55-0Ubuntu13 Canonical Accountsservice 0.6.55-0Ubuntu14	4
OS	Canonical Canonical Ubuntu Linux 20.04 Canonical Ubuntu Linux 21.04 Canonical Ubuntu Linux 21.10	3

Common Weakness Enumeration (CWE)

CWE-763 - Release of Invalid Pointer or Reference

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References