CVE-2021-33574 log

Source
Severity Low
Remote No
Type Arbitrary code execution
Description
The mq_notify function in the GNU C Library (aka glibc) through 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.

NOTE: Applying commits 42d359350510506b87101cf77202fefcbfc790cb and 217b6dc298156bdb0d6aea9ea93e7e394a5ff091 fixes CVE-2021-33574, but opens up another issue CVE-2021-38604.
Group Package Affected Fixed Severity Status Ticket
AVG-1621 glibc 2.33-5 Medium Vulnerable
References
https://sourceware.org/bugzilla/show_bug.cgi?id=27896
https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=42d359350510506b87101cf77202fefcbfc790cb
https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=217b6dc298156bdb0d6aea9ea93e7e394a5ff091