CVE-2021-3864: 
Linux Debian vulnerability analysis and mitigation

A flaw was discovered in the Linux kernel's handling of the dumpable flag setting when certain SUID binaries executed their descendants. The vulnerability (CVE-2021-3864) affects systems where a SUID binary sets real UID equal to effective UID, and real GID equal to effective GID. When these conditions are met, the descendant process will have its dumpable value set to 1, which could lead to security issues if the core_pattern is set to a relative value (MITRE CVE, Debian Tracker).

The vulnerability exists in the Linux kernel's process core dump handling mechanism. When a SUID binary executes a descendant process after setting real UID equal to effective UID and real GID equal to effective GID, the descendant process's dumpable value is incorrectly set to 1. If the system's corepattern is configured with a relative value, the core dump is stored in the current directory with uid:gid permissions. This behavior occurs in the beginnew_exec function within fs/exec.c (OSS Security).

An unprivileged local user with access to an eligible root SUID binary could exploit this vulnerability to place core dumps into root-owned directories. This could potentially result in privilege escalation on the system. The impact is particularly severe when combined with other system utilities like logrotate, which could be manipulated to execute arbitrary code with elevated privileges (OSS Security).

Several mitigation strategies are available: 1) Change /proc/sys/kernel/corepattern to an absolute, safe directory to prevent logrotate exploitation, 2) Add pamlimits.so to sudo's PAM configuration and set RLIMITCORE to 0, which prevents sudo from being exploited. A permanent fix was proposed in the Linux kernel to reset RLIMITCORE of a SUID process to 0 by default (OSS Security).