The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux kernel did not properly update 32-bit bounds, which could be turned into out of bounds reads and writes in the Linux kernel and therefore, arbitrary code execution. This issue was fixed via commit 049c4e13714e ("bpf: Fix alu32 const subreg bound tracking on bitwise operations") (v5.13-rc4) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. The AND/OR issues were introduced by commit 3f50f132d840 ("bpf: Verifier, do explicit ALU32 bounds tracking") (5.7-rc1) and the XOR variant was introduced by 2921c90d4718 ("bpf:Fix a verifier failure with xor") ( 5.10-rc1).
Conclusion & alert: CVE-2021-3490 is rated High Exploit Risk (85.4/100): CVSS High severity, with high exploitation likelihood (EPSS 27.48%, 98th percentile). Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB). EPSS rose +24.02% over the last day, indicating growing attacker interest. Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 3.46% | 27.48% | +24.02% |
| 2 | 2026-06-06 | 3.76% | 3.46% | -0.30% |
| 3 | 2026-05-24 | — | 3.76% | — |
Full EPSS history (68 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.8 | 3.1 | HIGH |
|
1.1 | 6.0 | [email protected] |
| 7.8 | 3.1 | HIGH |
|
1.8 | 5.9 | [email protected] |
| 7.2 | 2.0 | HIGH |
|
3.9 | 10.0 | [email protected] |
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2021-3490 not yet assigned priority: Debian including 1 source packages (linux), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2021-3490 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2021-3490 |
suse
|
high | — | https://www.suse.com/security/cve/CVE-2021-3490/ |
ubuntu
|
high | CVE-2021-3490 high priority: Ubuntu including 124 source packages (linux, linux-allwinner, …), 1388 status rows across 13 suites (bionic, focal, groovy, hirsute, impish, jammy, kinetic, lunar, mantic, noble, trusty, upstream, xenial): DNE 1030, not-affected 197, released 122, ignored 39. | https://ubuntu.com/security/CVE-2021-3490 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| linux | linux_kernel | >= 5.10, < 5.10.37 | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| linux | linux_kernel | >= 5.11, < 5.11.21 | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| linux | linux_kernel | >= 5.12, < 5.12.4 | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| linux | linux_kernel | 5.13 | cpe:2.3:o:linux:linux_kernel:5.13:-:*:*:*:*:*:* |
| linux | linux_kernel | 5.13 | cpe:2.3:o:linux:linux_kernel:5.13:rc1:*:*:*:*:*:* |
| linux | linux_kernel | 5.13 | cpe:2.3:o:linux:linux_kernel:5.13:rc2:*:*:*:*:*:* |
| linux | linux_kernel | 5.13 | cpe:2.3:o:linux:linux_kernel:5.13:rc3:*:*:*:*:*:* |
| canonical | ubuntu_linux | 20.04 | cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:* |
| canonical | ubuntu_linux | 20.10 | cpe:2.3:o:canonical:ubuntu_linux:20.10:*:*:*:*:*:*:* |
| canonical | ubuntu_linux | 21.04 | cpe:2.3:o:canonical:ubuntu_linux:21.04:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| http://packetstormsecurity.com/files/164015/Linux-eBPF-ALU32-32-bit-Invalid-Bounds-Tracking-Local-Privilege-Escalation.html | Exploit Third Party Advisory VDB Entry |
| https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=049c4e13714ecbca567b4d5f6d563f05d431c80e | Patch Vendor Advisory |
| https://security.netapp.com/advisory/ntap-20210716-0004/ | Third Party Advisory |
| https://ubuntu.com/security/notices/USN-4949-1 | Third Party Advisory |
| https://ubuntu.com/security/notices/USN-4950-1 | Third Party Advisory |
| https://www.openwall.com/lists/oss-security/2021/05/11/11 | Mailing List Patch Third Party Advisory |
| https://www.zerodayinitiative.com/advisories/ZDI-21-606/ | Third Party Advisory VDB Entry |