Back

CVE-2024-43873

Aug. 21, 2024, 12:30 p.m.

Awaiting Analysis
CVE has been recently published to the CVE List and has been received by the NVD.

Products

Linux Kernel

Source

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Tags

416baaa9-dc9f-4396-8d5f-8c081fb06d67
2024-08-21
CVE-2024-43873

CVE-2024-43873 details

Published : Aug. 21, 2024, 1:15 a.m.
Last Modified : Aug. 21, 2024, 12:30 p.m.

Description

In the Linux kernel, the following vulnerability has been resolved: vhost/vsock: always initialize seqpacket_allow There are two issues around seqpacket_allow: 1. seqpacket_allow is not initialized when socket is created. Thus if features are never set, it will be read uninitialized. 2. if VIRTIO_VSOCK_F_SEQPACKET is set and then cleared, then seqpacket_allow will not be cleared appropriately (existing apps I know about don't usually do this but it's legal and there's no way to be sure no one relies on this). To fix: - initialize seqpacket_allow after allocation - set it unconditionally in set_features

CVSS Score

1 2 3 4 5 6 7 8 9 10

Weakness

Weakness Name Description

References

URL Source
https://git.kernel.org/stable/c/1e1fdcbdde3b7663e5d8faeb2245b9b151417d22 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/3062cb100787a9ddf45de30004b962035cd497fb 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/30bd4593669443ac58515e23557dc8cef70d8582 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/ea558f10fb05a6503c6e655a1b7d81fdf8e5924c 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/eab96e8716cbfc2834b54f71cc9501ad4eec963b 416baaa9-dc9f-4396-8d5f-8c081fb06d67
This website uses the NVD API, but is not approved or certified by it.