CVE-2024-44947

Sept. 16, 2024, 5:52 p.m.

5.5
Medium

Description

In the Linux kernel, the following vulnerability has been resolved: fuse: Initialize beyond-EOF page contents before setting uptodate fuse_notify_store(), unlike fuse_do_readpage(), does not enable page zeroing (because it can be used to change partial page contents). So fuse_notify_store() must be more careful to fully initialize page contents (including parts of the page that are beyond end-of-file) before marking the page uptodate. The current code can leave beyond-EOF page contents uninitialized, which makes these uninitialized page contents visible to userspace via mmap(). This is an information leak, but only affects systems which do not enable init-on-alloc (via CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y or the corresponding kernel command line parameter).

Product(s) Impacted

Vendor Product Versions
Linux
  • Linux Kernel
  • *, 6.11

Weaknesses

CWE-665
Improper Initialization
The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.

*CPE(s)

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
o linux linux_kernel / / / / / / / /
o linux linux_kernel / / / / / / / /
o linux linux_kernel / / / / / / / /
o linux linux_kernel / / / / / / / /
o linux linux_kernel / / / / / / / /
o linux linux_kernel / / / / / / / /
o linux linux_kernel / / / / / / / /
o linux linux_kernel 6.11 rc1 / / / / / /
o linux linux_kernel 6.11 rc2 / / / / / /
o linux linux_kernel 6.11 rc3 / / / / / /

References

https://git.kernel.org/stable/c/18a067240817bee8a9360539af5d79a4bf5398a5
https://git.kernel.org/stable/c/33168db352c7b56ae18aa55c2cae1a1c5905d30e
https://git.kernel.org/stable/c/3c0da3d163eb32f1f91891efaade027fa9b245b9
https://git.kernel.org/stable/c/4690e2171f651e2b415e3941ce17f2f7b813aff6
https://git.kernel.org/stable/c/49934861514d36d0995be8e81bb3312a499d8d9a
https://git.kernel.org/stable/c/831433527773e665bdb635ab5783d0b95d1246f4
https://git.kernel.org/stable/c/8c78303eafbf85a728dd84d1750e89240c677dd9
https://git.kernel.org/stable/c/ac42e0f0eb66af966015ee33fd355bc6f5d80cd6

Tags

416baaa9-dc9f-4396-8d5f-8c081fb06d67
CWE-665
2024-09-02
CVE-2024-44947

CVSS Score

5.5 / 10

CVSS Data

  • Attack Vector: LOCAL
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: NONE
  • Availability Impact: NONE
    • View Vector String

    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Date

  • Published: Sept. 2, 2024, 6:15 p.m.
  • Last Modified: Sept. 16, 2024, 5:52 p.m.

Status : Analyzed

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

416baaa9-dc9f-4396-8d5f-8c081fb06d67

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.