U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

CVE-2024-43854 Detail

Description

In the Linux kernel, the following vulnerability has been resolved: block: initialize integrity buffer to zero before writing it to media Metadata added by bio_integrity_prep is using plain kmalloc, which leads to random kernel memory being written media. For PI metadata this is limited to the app tag that isn't used by kernel generated metadata, but for non-PI metadata the entire buffer leaks kernel memory. Fix this by adding the __GFP_ZERO flag to allocations for writes.


Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 4.0 Severity and Vector Strings:

NIST CVSS score
NIST: NVD
N/A
NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink Resource
https://git.kernel.org/stable/c/129f95948a96105c1fad8e612c9097763e88ac5f
https://git.kernel.org/stable/c/23a19655fb56f241e592041156dfb1c6d04da644 Patch 
https://git.kernel.org/stable/c/3fd11fe4f20756b4c0847f755a64cd96f8c6a005
https://git.kernel.org/stable/c/899ee2c3829c5ac14bfc7d3c4a5846c0b709b78f Patch 
https://git.kernel.org/stable/c/9f4af4cf08f9a0329ade3d938f55d2220c40d0a6
https://git.kernel.org/stable/c/cf6b45ea7a8df0f61bded1dc4a8561ac6ad143d2 Patch 
https://git.kernel.org/stable/c/d418313bd8f55c079a7da12651951b489a638ac1 Patch 
https://git.kernel.org/stable/c/ebc0e91ba76dc6544fff9f5b66408b1982806a00 Patch 

Weakness Enumeration

CWE-ID CWE Name Source
CWE-401 Missing Release of Memory after Effective Lifetime cwe source acceptance level NIST  

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

4 change records found show changes

Quick Info

CVE Dictionary Entry:
CVE-2024-43854
NVD Published Date:
08/17/2024
NVD Last Modified:
09/12/2024
Source:
kernel.org