SUSE update for the Linux Kernel
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2024-38538 CVE-2024-40902 CVE-2024-42104 CVE-2024-42148 CVE-2024-45021 |
| CWE-ID | CWE-908 CWE-119 CWE-416 CWE-125 CWE-665 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE Operating systems & Components / Operating system SUSE Linux Enterprise Server 11 Operating systems & Components / Operating system kernel-syms Operating systems & Components / Operating system package or component kernel-trace-base Operating systems & Components / Operating system package or component kernel-ec2-devel Operating systems & Components / Operating system package or component kernel-xen-devel Operating systems & Components / Operating system package or component kernel-source Operating systems & Components / Operating system package or component kernel-trace-devel Operating systems & Components / Operating system package or component kernel-ec2-base Operating systems & Components / Operating system package or component kernel-default-devel Operating systems & Components / Operating system package or component kernel-xen-base Operating systems & Components / Operating system package or component kernel-default-base Operating systems & Components / Operating system package or component kernel-ec2 Operating systems & Components / Operating system package or component kernel-trace Operating systems & Components / Operating system package or component kernel-xen Operating systems & Components / Operating system package or component kernel-default Operating systems & Components / Operating system package or component |
| Vendor | SUSE |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Use of uninitialized resource
EUVDB-ID: #VU92373
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-38538
CWE-ID:
CWE-908 - Use of Uninitialized Resource
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to use of uninitialized resource within the EXPORT_SYMBOL_GPL() and br_dev_xmit() functions in net/bridge/br_device.c. A local user can perform a denial of service (DoS) attack.
MitigationUpdate the affected package the Linux Kernel to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE: 11-SP4
SUSE Linux Enterprise Server 11: SP4
kernel-syms: before 3.0.101-108.165.1
kernel-trace-base: before 3.0.101-108.165.1
kernel-ec2-devel: before 3.0.101-108.165.1
kernel-xen-devel: before 3.0.101-108.165.1
kernel-source: before 3.0.101-108.165.1
kernel-trace-devel: before 3.0.101-108.165.1
kernel-ec2-base: before 3.0.101-108.165.1
kernel-default-devel: before 3.0.101-108.165.1
kernel-xen-base: before 3.0.101-108.165.1
kernel-default-base: before 3.0.101-108.165.1
kernel-ec2: before 3.0.101-108.165.1
kernel-trace: before 3.0.101-108.165.1
kernel-xen: before 3.0.101-108.165.1
kernel-default: before 3.0.101-108.165.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server_11_sp4_ltss_extreme_core:11-SP4:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_11:SP4:*:*:*:*:*:*:*
- cpe:2.3:a:suse:kernel-syms:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-trace-base:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-ec2-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-xen-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-source:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-trace-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-ec2-base:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-default-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-xen-base:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-default-base:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-ec2:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-trace:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-xen:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-default:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2024/suse-su-20243617-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Buffer overflow
EUVDB-ID: #VU94296
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-40902
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to memory corruption within the ea_get() function in fs/jfs/xattr.c. A local user can escalate privileges on the system.
MitigationUpdate the affected package the Linux Kernel to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE: 11-SP4
SUSE Linux Enterprise Server 11: SP4
kernel-syms: before 3.0.101-108.165.1
kernel-trace-base: before 3.0.101-108.165.1
kernel-ec2-devel: before 3.0.101-108.165.1
kernel-xen-devel: before 3.0.101-108.165.1
kernel-source: before 3.0.101-108.165.1
kernel-trace-devel: before 3.0.101-108.165.1
kernel-ec2-base: before 3.0.101-108.165.1
kernel-default-devel: before 3.0.101-108.165.1
kernel-xen-base: before 3.0.101-108.165.1
kernel-default-base: before 3.0.101-108.165.1
kernel-ec2: before 3.0.101-108.165.1
kernel-trace: before 3.0.101-108.165.1
kernel-xen: before 3.0.101-108.165.1
kernel-default: before 3.0.101-108.165.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server_11_sp4_ltss_extreme_core:11-SP4:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_11:SP4:*:*:*:*:*:*:*
- cpe:2.3:a:suse:kernel-syms:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-trace-base:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-ec2-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-xen-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-source:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-trace-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-ec2-base:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-default-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-xen-base:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-default-base:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-ec2:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-trace:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-xen:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-default:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2024/suse-su-20243617-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Use-after-free
EUVDB-ID: #VU94937
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-42104
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the nilfs_check_page() and nilfs_error() functions in fs/nilfs2/dir.c. A local user can escalate privileges on the system.
MitigationUpdate the affected package the Linux Kernel to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE: 11-SP4
SUSE Linux Enterprise Server 11: SP4
kernel-syms: before 3.0.101-108.165.1
kernel-trace-base: before 3.0.101-108.165.1
kernel-ec2-devel: before 3.0.101-108.165.1
kernel-xen-devel: before 3.0.101-108.165.1
kernel-source: before 3.0.101-108.165.1
kernel-trace-devel: before 3.0.101-108.165.1
kernel-ec2-base: before 3.0.101-108.165.1
kernel-default-devel: before 3.0.101-108.165.1
kernel-xen-base: before 3.0.101-108.165.1
kernel-default-base: before 3.0.101-108.165.1
kernel-ec2: before 3.0.101-108.165.1
kernel-trace: before 3.0.101-108.165.1
kernel-xen: before 3.0.101-108.165.1
kernel-default: before 3.0.101-108.165.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server_11_sp4_ltss_extreme_core:11-SP4:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_11:SP4:*:*:*:*:*:*:*
- cpe:2.3:a:suse:kernel-syms:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-trace-base:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-ec2-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-xen-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-source:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-trace-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-ec2-base:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-default-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-xen-base:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-default-base:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-ec2:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-trace:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-xen:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-default:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2024/suse-su-20243617-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Out-of-bounds read
EUVDB-ID: #VU94952
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-42148
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to an out-of-bounds read error within the drivers/net/ethernet/broadcom/bnx2x/bnx2x.h. A local user can perform a denial of service (DoS) attack.
MitigationUpdate the affected package the Linux Kernel to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE: 11-SP4
SUSE Linux Enterprise Server 11: SP4
kernel-syms: before 3.0.101-108.165.1
kernel-trace-base: before 3.0.101-108.165.1
kernel-ec2-devel: before 3.0.101-108.165.1
kernel-xen-devel: before 3.0.101-108.165.1
kernel-source: before 3.0.101-108.165.1
kernel-trace-devel: before 3.0.101-108.165.1
kernel-ec2-base: before 3.0.101-108.165.1
kernel-default-devel: before 3.0.101-108.165.1
kernel-xen-base: before 3.0.101-108.165.1
kernel-default-base: before 3.0.101-108.165.1
kernel-ec2: before 3.0.101-108.165.1
kernel-trace: before 3.0.101-108.165.1
kernel-xen: before 3.0.101-108.165.1
kernel-default: before 3.0.101-108.165.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server_11_sp4_ltss_extreme_core:11-SP4:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_11:SP4:*:*:*:*:*:*:*
- cpe:2.3:a:suse:kernel-syms:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-trace-base:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-ec2-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-xen-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-source:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-trace-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-ec2-base:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-default-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-xen-base:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-default-base:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-ec2:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-trace:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-xen:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-default:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2024/suse-su-20243617-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Improper Initialization
EUVDB-ID: #VU97184
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-45021
CWE-ID:
CWE-665 - Improper Initialization
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper initialization within the memcg_write_event_control() function in mm/memcontrol.c. A local user can perform a denial of service (DoS) attack.
MitigationUpdate the affected package the Linux Kernel to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE: 11-SP4
SUSE Linux Enterprise Server 11: SP4
kernel-syms: before 3.0.101-108.165.1
kernel-trace-base: before 3.0.101-108.165.1
kernel-ec2-devel: before 3.0.101-108.165.1
kernel-xen-devel: before 3.0.101-108.165.1
kernel-source: before 3.0.101-108.165.1
kernel-trace-devel: before 3.0.101-108.165.1
kernel-ec2-base: before 3.0.101-108.165.1
kernel-default-devel: before 3.0.101-108.165.1
kernel-xen-base: before 3.0.101-108.165.1
kernel-default-base: before 3.0.101-108.165.1
kernel-ec2: before 3.0.101-108.165.1
kernel-trace: before 3.0.101-108.165.1
kernel-xen: before 3.0.101-108.165.1
kernel-default: before 3.0.101-108.165.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server_11_sp4_ltss_extreme_core:11-SP4:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_11:SP4:*:*:*:*:*:*:*
- cpe:2.3:a:suse:kernel-syms:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-trace-base:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-ec2-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-xen-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-source:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-trace-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-ec2-base:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-default-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-xen-base:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-default-base:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-ec2:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-trace:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-xen:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:kernel-default:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2024/suse-su-20243617-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
