| The CVE-2021-47098 vulnerability affects the Linux kernel's hwmon (hardware monitoring) subsystem, specifically the lm90 driver. The issue arises from a flawed hysteresis calculation in the temperature limit setting logic. When attempting to set the hysteresis value to MAX_LONG and the critical temperature limit is negative, an integer underflow occurs. |
| |
| The root cause of this problem lies in the incomplete fix introduced by commit b50aa49638c7, which addressed several underflow situations but missed one specific scenario. To mitigate this vulnerability, the Linux kernel CVE team recommends using the clamp_val() function when setting the hysteresis temperature to prevent integer overflow or underflow. |
| |
| The affected files are limited to drivers/hwmon/lm90.c, and the issue was introduced in kernel version 5.14 with commit b50aa49638c7. The vulnerability is fixed in kernel versions 5.15.12 with commit d105f30bea91 and 5.16 with commit 55840b9eae53. To resolve this issue, users are advised to update to the latest stable kernel version or apply the individual changes provided by the Linux kernel CVE team. |
| |
