U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

CVE-2024-27431 Detail

Description

In the Linux kernel, the following vulnerability has been resolved: cpumap: Zero-initialise xdp_rxq_info struct before running XDP program When running an XDP program that is attached to a cpumap entry, we don't initialise the xdp_rxq_info data structure being used in the xdp_buff that backs the XDP program invocation. Tobias noticed that this leads to random values being returned as the xdp_md->rx_queue_index value for XDP programs running in a cpumap. This means we're basically returning the contents of the uninitialised memory, which is bad. Fix this by zero-initialising the rxq data structure before running the XDP program.


Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 4.0 Severity and Vector Strings:

NIST CVSS score
NIST: NVD
N/A
NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink Resource
https://git.kernel.org/stable/c/2487007aa3b9fafbd2cb14068f49791ce1d7ede5
https://git.kernel.org/stable/c/2487007aa3b9fafbd2cb14068f49791ce1d7ede5
https://git.kernel.org/stable/c/3420b3ff1ff489c177ea1cb7bd9fbbc4e9a0be95
https://git.kernel.org/stable/c/3420b3ff1ff489c177ea1cb7bd9fbbc4e9a0be95
https://git.kernel.org/stable/c/5f4e51abfbe6eb444fa91906a5cd083044278297
https://git.kernel.org/stable/c/5f4e51abfbe6eb444fa91906a5cd083044278297
https://git.kernel.org/stable/c/eaa7cb836659ced2d9f814ac32aa3ec193803ed6
https://git.kernel.org/stable/c/eaa7cb836659ced2d9f814ac32aa3ec193803ed6
https://git.kernel.org/stable/c/f0363af9619c77730764f10360e36c6445c12f7b
https://git.kernel.org/stable/c/f0363af9619c77730764f10360e36c6445c12f7b
https://git.kernel.org/stable/c/f562e4c4aab00986dde3093c4be919c3f2b85a4a
https://git.kernel.org/stable/c/f562e4c4aab00986dde3093c4be919c3f2b85a4a
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html

Weakness Enumeration

CWE-ID CWE Name Source
CWE-908 Use of Uninitialized Resource CISA-ADP  

Change History

6 change records found show changes

Quick Info

CVE Dictionary Entry:
CVE-2024-27431
NVD Published Date:
05/17/2024
NVD Last Modified:
11/21/2024
Source:
kernel.org