{"id":"CVE-2021-4439","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nisdn: cpai: check ctr-\u003ecnr to avoid array index out of bound\n\nThe cmtp_add_connection() would add a cmtp session to a controller\nand run a kernel thread to process cmtp.\n\n\t__module_get(THIS_MODULE);\n\tsession-\u003etask = kthread_run(cmtp_session, session, \"kcmtpd_ctr_%d\",\n\t\t\t\t\t\t\t\tsession-\u003enum);\n\nDuring this process, the kernel thread would call detach_capi_ctr()\nto detach a register controller. if the controller\nwas not attached yet, detach_capi_ctr() would\ntrigger an array-index-out-bounds bug.\n\n[   46.866069][ T6479] UBSAN: array-index-out-of-bounds in\ndrivers/isdn/capi/kcapi.c:483:21\n[   46.867196][ T6479] index -1 is out of range for type 'capi_ctr *[32]'\n[   46.867982][ T6479] CPU: 1 PID: 6479 Comm: kcmtpd_ctr_0 Not tainted\n5.15.0-rc2+ #8\n[   46.869002][ T6479] Hardware name: QEMU Standard PC (i440FX + PIIX,\n1996), BIOS 1.14.0-2 04/01/2014\n[   46.870107][ T6479] Call Trace:\n[   46.870473][ T6479]  dump_stack_lvl+0x57/0x7d\n[   46.870974][ T6479]  ubsan_epilogue+0x5/0x40\n[   46.871458][ T6479]  __ubsan_handle_out_of_bounds.cold+0x43/0x48\n[   46.872135][ T6479]  detach_capi_ctr+0x64/0xc0\n[   46.872639][ T6479]  cmtp_session+0x5c8/0x5d0\n[   46.873131][ T6479]  ? __init_waitqueue_head+0x60/0x60\n[   46.873712][ T6479]  ? cmtp_add_msgpart+0x120/0x120\n[   46.874256][ T6479]  kthread+0x147/0x170\n[   46.874709][ T6479]  ? set_kthread_struct+0x40/0x40\n[   46.875248][ T6479]  ret_from_fork+0x1f/0x30\n[   46.875773][ T6479]","modified":"2026-03-13T05:14:57.628787Z","published":"2024-06-20T12:15:10.447Z","related":["SUSE-SU-2024:2360-1","SUSE-SU-2024:2362-1","SUSE-SU-2024:2365-1","SUSE-SU-2024:2372-1","SUSE-SU-2024:2381-1","SUSE-SU-2024:2384-1","SUSE-SU-2024:2394-1","SUSE-SU-2024:2561-1","SUSE-SU-2024:2895-1","SUSE-SU-2024:2902-1","SUSE-SU-2024:2929-1","SUSE-SU-2024:2939-1"],"references":[{"type":"FIX","url":"https://git.kernel.org/stable/c/cc20226e218a2375d50dd9ac14fb4121b43375ff"},{"type":"FIX","url":"https://git.kernel.org/stable/c/e8b8de17e164c9f1b7777f1c6f99d05539000036"},{"type":"FIX","url":"https://git.kernel.org/stable/c/1f3e2e97c003f80c4b087092b225c8787ff91e4d"},{"type":"FIX","url":"https://git.kernel.org/stable/c/24219a977bfe3d658687e45615c70998acdbac5a"},{"type":"FIX","url":"https://git.kernel.org/stable/c/285e9210b1fab96a11c0be3ed5cea9dd48b6ac54"},{"type":"FIX","url":"https://git.kernel.org/stable/c/7d91adc0ccb060ce564103315189466eb822cc6a"},{"type":"FIX","url":"https://git.kernel.org/stable/c/7f221ccbee4ec662e2292d490a43ce6c314c4594"},{"type":"FIX","url":"https://git.kernel.org/stable/c/9b6b2db77bc3121fe435f1d4b56e34de443bec75"}],"affected":[{"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"4.4.290"}]},{"events":[{"introduced":"4.5"},{"fixed":"4.9.288"}]},{"events":[{"introduced":"4.10"},{"fixed":"4.14.253"}]},{"events":[{"introduced":"4.15"},{"fixed":"4.19.214"}]},{"events":[{"introduced":"4.20"},{"fixed":"5.4.156"}]},{"events":[{"introduced":"5.5"},{"fixed":"5.10.76"}]},{"events":[{"introduced":"5.11"},{"fixed":"5.14.15"}]},{"events":[{"introduced":"0"},{"last_affected":"5.15-rc1"}]},{"events":[{"introduced":"0"},{"last_affected":"5.15-rc2"}]},{"events":[{"introduced":"0"},{"last_affected":"5.15-rc3"}]},{"events":[{"introduced":"0"},{"last_affected":"5.15-rc4"}]},{"events":[{"introduced":"0"},{"last_affected":"5.15-rc5"}]}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-4439.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}