Improper resource shutdown or release in Linux kernel s390 pci

Published: 2024-12-30

Risk	Low
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2024-56699
CWE-ID	CWE-404
Exploitation vector	Local
Public exploit	N/A
Vulnerable software	Linux kernel Operating systems & Components / Operating system
Vendor	Linux Foundation

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Improper resource shutdown or release

EUVDB-ID: #VU102262

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-56699

CWE-ID: CWE-404 - Improper Resource Shutdown or Release

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to failure to properly release resources within the zpci_device_reserved() and zpci_release_device() functions in arch/s390/pci/pci.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Linux kernel: All versions

CPE2.3

cpe:2.3:o:linux_foundation:linux_kernel:*:*:*:*:*:*:*:*

External links

https://git.kernel.org/stable/c/371bd905599d18da62d75e3974acbf6a41e315c7
https://git.kernel.org/stable/c/c1489651071ab1be46d2af1da8adb15c9fc3c069
https://git.kernel.org/stable/c/c4a585e952ca403a370586d3f16e8331a7564901

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.