CVE-2021-3996
Description
A logic error was found in the libmount library of util-linux in the function that allows an unprivileged user to unmount a FUSE filesystem. This flaw allows a local user on a vulnerable system to unmount other users' filesystems that are either world-writable themselves (like /tmp) or mounted in a world-writable directory. An attacker may use this flaw to cause a denial of service to applications that use the affected filesystems.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
23- util-linux/libmountdescription
- Range: <2.37.3
- Range: <2.37.3
- osv-coords20 versionspkg:rpm/opensuse/libeconf&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/python3-libmount&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/shadow&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/util-linux&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/util-linux&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/util-linux-systemd&distro=openSUSE%20Leap%2015.3pkg:rpm/suse/libeconf&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/libeconf&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/libeconf&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/libeconf&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Transactional%20Server%2015%20SP3pkg:rpm/suse/shadow&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/shadow&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/shadow&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/util-linux&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/util-linux&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/util-linux&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/util-linux-systemd&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/util-linux-systemd&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/util-linux-systemd&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/util-linux-systemd&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP3
< 0.4.4+git20220104.962774f-150300.3.6.2+ 19 more
- (no CPE)range: < 0.4.4+git20220104.962774f-150300.3.6.2
- (no CPE)range: < 2.36.2-150300.4.14.2
- (no CPE)range: < 4.8.1-150300.4.3.8
- (no CPE)range: < 2.36.2-150300.4.14.3
- (no CPE)range: < 2.37.3-1.1
- (no CPE)range: < 2.36.2-150300.4.14.2
- (no CPE)range: < 0.4.4+git20220104.962774f-150300.3.6.2
- (no CPE)range: < 0.4.4+git20220104.962774f-150300.3.6.2
- (no CPE)range: < 0.4.4+git20220104.962774f-150300.3.6.2
- (no CPE)range: < 0.4.4+git20220104.962774f-150300.3.6.2
- (no CPE)range: < 4.8.1-150300.4.3.8
- (no CPE)range: < 4.8.1-150300.4.3.8
- (no CPE)range: < 4.8.1-150300.4.3.8
- (no CPE)range: < 2.36.2-150300.4.14.3
- (no CPE)range: < 2.36.2-150300.4.14.3
- (no CPE)range: < 2.36.2-150300.4.14.3
- (no CPE)range: < 2.36.2-150300.4.14.2
- (no CPE)range: < 2.36.2-150300.4.14.2
- (no CPE)range: < 2.36.2-150300.4.14.2
- (no CPE)range: < 2.36.2-150300.4.14.2
Patches
Vulnerability mechanics
Root cause
"A logic error in the libmount library allowed unprivileged users to unmount filesystems they did not own."
Attack vector
A local, unprivileged user can trigger this vulnerability by attempting to unmount a FUSE filesystem. If the target filesystem is world-writable or mounted within a world-writable directory, the unprivileged user can successfully unmount it. This can lead to denial of service for applications relying on the unmounted filesystem.
Affected code
The vulnerability lies within the libmount library of util-linux, specifically in the `findmnt` command and its related functions. The commit `166e87368ae88bf31112a30e078cceae637f4cdb` addresses this by removing support for deleted mount table entries and related options [ref_id=1].
What the fix does
The patch removes the `COL_DELETED` column and associated logic from the `findmnt` command and its internal library functions [ref_id=1]. This change eliminates the functionality that allowed `findmnt` to operate on or consider deleted mount table entries, thereby preventing the logic error that enabled unprivileged users to unmount other users' filesystems.
Preconditions
- inputThe target filesystem must be a FUSE filesystem.
- inputThe target filesystem must be world-writable or mounted in a world-writable directory.
Generated on Jun 6, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- security.gentoo.org/glsa/202401-08mitrevendor-advisory
- seclists.org/fulldisclosure/2022/Dec/4mitremailing-list
- www.openwall.com/lists/oss-security/2022/11/30/2mitremailing-list
- packetstormsecurity.com/files/170176/snap-confine-must_mkdir_and_open_with_perms-Race-Condition.htmlmitre
- access.redhat.com/security/cve/CVE-2021-3996mitre
- bugzilla.redhat.com/show_bug.cgimitre
- github.com/util-linux/util-linux/commit/166e87368ae88bf31112a30e078cceae637f4cdbmitre
- mirrors.edge.kernel.org/pub/linux/utils/util-linux/v2.37/v2.37.3-ReleaseNotesmitre
- security.netapp.com/advisory/ntap-20221209-0002/mitre
- www.openwall.com/lists/oss-security/2022/01/24/2mitre
News mentions
0No linked articles in our index yet.