CVE-2021-35937: Race Condition

Published May 24, 2021
·
Updated

A race condition vulnerability was found in rpm. A local unprivileged user could use this flaw to bypass the checks that were introduced in response to CVE-2017-7500 and CVE-2017-7501, potentially gaining root privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Other sources

In response to CVE-2017-7500 and CVE-2017-7501, it was decided that the policy of RPM is "Only follow directory symlinks owned by target directory owner or root." [1]. This check was implemented in a way that is subject to race conditions. If an attacker manages to change things between the call to lstat() that finds a safe symlink and the open() that creates a new file, the policy is not enforced.

Exploits are tricky because of the narrow timing window between the calls, but mazes [2] could probably be used to delay the stat() long enough for a reliable exploit. Fixing this would require opening the directory with OPATH|ONOFOLLOW, followed by fstat() to check ownership and openat() to create the final file.

References:

1. https://github.com/rpm-software-management/rpm/commit/f2d3be2a8741234faaa96f5fd05fdfdc75779a79 2. https://www.usenix.org/legacy/event/sec05/tech/fullpapers/borisov/borisov.pdf 3. https://bugzilla.suse.com/showbug.cgi?id=1157882

Red Hat

RPM Project RPM could allow a local authenticated attacker to gain elevated privileges on the system, caused by a TOCTOU race in checks for unsafe symlinks. An attacker could exploit this vulnerability to bypass the checks that were introduced in response to CVE-2017-7500 and CVE-2017-7501 and gain root privileges on the system.

IBM

Affected Software

9 affected components
RPM RPM<4.18.0
redhat Enterprise Linux=6.0
redhat Enterprise Linux=7.0
redhat Enterprise Linux=8.0
redhat Enterprise Linux=9.0
Fedoraproject Fedora=34
IBM R10.0<=10.1.3.0 10.0.245.0
IBM R9.4<=89.42.18.0 89.41.25.0 89.40.83.0
IBM R9.3<=89.33.52.0 89.33.45.0

Remediation

Patch Available

https://bugzilla.redhat.com/show_bug.cgi?id=1964125

Event History

May 24, 2021
Data Sourced
via Red Hat·06:55 PM
DescriptionSeverityAffected Software
Aug 25, 2022
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
DescriptionWeakness
May 27, 2025
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2021-35937?

CVE-2021-35937 is a race condition vulnerability found in rpm that allows a local unprivileged user to bypass checks and potentially gain root privileges.

2

How does CVE-2021-35937 impact data confidentiality and integrity?

CVE-2021-35937 poses a high threat to data confidentiality and integrity.

3

Which software versions are affected by CVE-2021-35937?

The affected software versions include rpm 4.18.0, Redhat Enterprise Linux 6.0, 7.0, 8.0, 9.0, and Fedoraproject Fedora 34.

4

What is the severity of CVE-2021-35937?

The severity level of CVE-2021-35937 is medium with a CVSS score of 6.4.

5

How can I fix the CVE-2021-35937 vulnerability?

To fix the CVE-2021-35937 vulnerability, it is recommended to update the affected software to a version that includes the fix or apply applicable patches.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203