CVE-2024-50110

CVSS 3.1 Score 5.5 of 10 (medium)

Details

Published Nov 5, 2024

Updated: Nov 8, 2024

CWE ID 908

Summary

CVE-2024-50110 is a kernel vulnerability in Linux that was discovered during fuzz testing. The issue lies in the xfrm module, specifically in the function _copy_to_iter. Uninitialized memory was found to be stored in a copy_to_user_state_extra variable and later used to dump state information. The uninitialized memory was created during the allocation of a new xfrm state using __kmalloc. The vulnerability allows an attacker to leak kernel information to user space. This issue has been resolved by padding structures with zeroes to prevent sensitive data from being given directly to user-space. A similar issue was addressed in a previous commit. The Linux Verification Center discovered this vulnerability using Syzkaller.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Advisories, Assessments, and Mitigations

Back to Vulnerability Database