CVE-2024-27431 : In the Linux kernel, the following vulnerability has been resolved: cpumap: Zer

In the Linux kernel, the following vulnerability has been resolved: cpumap: Zero-initialise xdp_rxq_info struct before running XDP program When running an XDP program that is attached to a cpumap entry, we don't initialise the xdp_rxq_info data structure being used in the xdp_buff that backs the XDP program invocation. Tobias noticed that this leads to random values being returned as the xdp_md->rx_queue_index value for XDP programs running in a cpumap. This means we're basically returning the contents of the uninitialised memory, which is bad. Fix this by zero-initialising the rxq data structure before running the XDP program.

Published 2024-05-17 12:15:16

Updated 2024-11-05 10:16:34

Source Linux

View at NVD, CVE.org

Products affected by CVE-2024-27431

Please log in to view affected product information.

Exploit prediction scoring system (EPSS) score for CVE-2024-27431

EPSS FAQ

0.06%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 20 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2024-27431

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.5	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H	1.8	3.6	134c704f-9b21-4f2e-91b3-4a467353bcc0	2024-07-03
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High
5.5	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H	N/A	N/A	RedHat-CVE-2024-27431	2024-05-18
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2024-27431

CWE-908 Use of Uninitialized Resource

The product uses or accesses a resource that has not been initialized.

Assigned by: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

References for CVE-2024-27431

https://git.kernel.org/stable/c/2487007aa3b9fafbd2cb14068f49791ce1d7ede5

cpumap: Zero-initialise xdp_rxq_info struct before running XDP program - kernel/git/stable/linux.git - Linux kernel stable tree
https://git.kernel.org/stable/c/3420b3ff1ff489c177ea1cb7bd9fbbc4e9a0be95

cpumap: Zero-initialise xdp_rxq_info struct before running XDP program - kernel/git/stable/linux.git - Linux kernel stable tree
https://git.kernel.org/stable/c/f562e4c4aab00986dde3093c4be919c3f2b85a4a

cpumap: Zero-initialise xdp_rxq_info struct before running XDP program - kernel/git/stable/linux.git - Linux kernel stable tree
https://git.kernel.org/stable/c/f0363af9619c77730764f10360e36c6445c12f7b

cpumap: Zero-initialise xdp_rxq_info struct before running XDP program - kernel/git/stable/linux.git - Linux kernel stable tree
https://git.kernel.org/stable/c/5f4e51abfbe6eb444fa91906a5cd083044278297

cpumap: Zero-initialise xdp_rxq_info struct before running XDP program - kernel/git/stable/linux.git - Linux kernel stable tree
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html

[SECURITY] [DLA 3842-1] linux-5.10 security update

CVEs referencing this url
https://git.kernel.org/stable/c/eaa7cb836659ced2d9f814ac32aa3ec193803ed6

cpumap: Zero-initialise xdp_rxq_info struct before running XDP program - kernel/git/stable/linux.git - Linux kernel stable tree

Jump to

Vulnerability Details : CVE-2024-27431

Products affected by CVE-2024-27431

Exploit prediction scoring system (EPSS) score for CVE-2024-27431

CVSS scores for CVE-2024-27431

CWE ids for CVE-2024-27431

References for CVE-2024-27431