Use After Free Vulnerability in Synology DiskStation Manager
CVE-2021-27646

9.8CRITICAL

Key Information:

Vendor

Synology
Status
Synology Diskstation Manager (dsm)
Vendor
CVE Published:
12 March 2021

What is CVE-2021-27646?

The use after free vulnerability in the iscsi_snapshot_comm_core component of Synology DiskStation Manager prior to version 6.2.3-25426-3 enables remote attackers to exploit memory management flaws. By sending specially crafted web requests, an attacker may execute arbitrary code on the affected system, which poses significant security risks to users. Timely updates and security best practices are recommended to mitigate potential impacts.

Affected Version(s)

Synology DiskStation Manager (DSM) < 6.2.3-25426-3

References

https://www.synology.com/security/advisory/Synology_SA_20_26
x_refsource_CONFIRM
https://www.zerodayinitiative.com/advisories/ZDI-21-340/
x_refsource_MISC
https://www.zerodayinitiative.com/advisories/ZDI-21-339/
x_refsource_MISC

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.