PatchSiren cyber security CVE debrief

CVE-2021-4090 Netapp CVE debrief

CVE-2021-4090 is an out-of-bounds write in Linux NFSD’s bitmap decode path. A local user with low privileges may be able to write past the end of a bitmap buffer, which can threaten kernel memory integrity and confidentiality. NVD also maps the issue to several NetApp H-series firmware CPEs, so both Linux kernel and affected appliance inventories should be checked.

Vendor: Netapp
Product: CVE-2021-4090
CVSS: HIGH 7.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2022-02-18
Original CVE updated: 2026-05-12
Advisory published: 2022-02-18
Advisory updated: 2026-05-12

Who should care

Linux administrators running NFS server workloads, security teams responsible for kernel patching, and NetApp H-series appliance owners should prioritize this CVE. It is especially relevant where untrusted local users, shared hosts, or multi-tenant workloads increase the value of a local kernel memory corruption flaw.

Technical summary

NVD describes the flaw in nfsd4_decode_bitmap4 in fs/nfsd/nfs4xdr.c, where missing sanity checks can allow a write beyond bmval[bmlen-1]. The issue is classified as CWE-787 and has CVSS v3.1 vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, indicating local exploitation requiring low privileges, with high confidentiality and integrity impact but no direct availability impact.

Defensive priority

High. This is a locally reachable kernel memory corruption issue in an NFS server code path, so patching should be prioritized on systems that run affected Linux kernels or matching NetApp firmware. Because the impact is on core memory integrity and confidentiality, remediation should be treated as urgent where local login access is not tightly controlled.

Recommended defensive actions

Apply the vendor-fixed Linux kernel update; NVD marks Linux kernel versions before 5.16 as affected.
Review NetApp guidance for the H300s, H500s, H700s, H300e, H500e, H700e, H410s, and H410c firmware CPEs listed by NVD.
Use asset inventory to confirm whether any deployed kernels or firmware match the affected CPEs before and after patching.
Limit unnecessary local user access on systems that expose NFS server functionality.
Track the Red Hat and Linux NFS references for patch context and vendor-specific remediation guidance.
Validate remediation against vendor advisories rather than relying only on broad product-family matching.

Evidence notes

The CVE record was published on 2022-02-18 and last modified on 2026-05-12. NVD cites CWE-787 and includes references to a Red Hat Bugzilla issue, a Linux NFS mailing list thread, a NetApp advisory, and a Siemens advisory. The NVD CPE data maps the issue to Linux kernel releases before 5.16 plus specific NetApp H-series firmware entries, so exposure should be validated against exact deployed versions and vendor-fixed builds.

Official resources

CVE-2021-4090 CVE record
CVE.org
CVE-2021-4090 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch, Third Party Advisory
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Third Party Advisory
Source reference
0b142b55-0307-4c5a-b3c9-f314f3fb7c5e

Publicly recorded in the CVE/NVD entry on 2022-02-18, with follow-on vendor and community references in Red Hat, Linux NFS, NetApp, and Siemens materials.