CVE-2021-4048
Published: 8 December 2021
An out-of-bounds read flaw was found in the CLARRV, DLARRV, SLARRV, and ZLARRV functions in lapack through version 3.10.0, as also used in OpenBLAS before version 0.3.18. Specially crafted inputs passed to these functions could cause an application using lapack to crash or possibly disclose portions of its memory.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
lapack Launchpad, Ubuntu, Debian |
bionic |
Needed
|
| focal |
Needed
|
|
| hirsute |
Ignored
(end of life)
|
|
| impish |
Ignored
(end of life)
|
|
| jammy |
Not vulnerable
(3.10.0-2ubuntu1)
|
|
| kinetic |
Not vulnerable
(3.10.0-2ubuntu1)
|
|
| lunar |
Not vulnerable
(3.10.0-2ubuntu1)
|
|
| mantic |
Not vulnerable
(3.10.0-2ubuntu1)
|
|
| noble |
Not vulnerable
(3.10.0-2ubuntu1)
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Released
(3.10.0-2)
|
|
| xenial |
Not vulnerable
(code not present)
|
|
|
Patches: upstream: https://github.com/Reference-LAPACK/lapack/pull/625 upstream: https://github.com/Reference-LAPACK/lapack/commit/38f3eeee3108b18158409ca2a100e6fe03754781 |
||
|
openblas Launchpad, Ubuntu, Debian |
bionic |
Needed
|
| focal |
Needed
|
|
| hirsute |
Ignored
(end of life)
|
|
| impish |
Ignored
(end of life)
|
|
| jammy |
Not vulnerable
(0.3.18+ds-2)
|
|
| kinetic |
Not vulnerable
(0.3.18+ds-2)
|
|
| lunar |
Not vulnerable
(0.3.18+ds-2)
|
|
| mantic |
Not vulnerable
(0.3.18+ds-2)
|
|
| noble |
Not vulnerable
(0.3.18+ds-2)
|
|
| trusty |
Needs triage
|
|
| upstream |
Released
(0.3.18+ds-1)
|
|
| xenial |
Needs triage
|
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 9.1 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |