Anolis OS update for kernel

Published: 2025-03-28

Risk	Medium
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2024-2201 CVE-2024-41071
CWE-ID	CWE-1037 CWE-125
Exploitation vector	Local network
Public exploit	N/A
Vulnerable software	Anolis OS Operating systems & Components / Operating system kernel-doc Operating systems & Components / Operating system package or component kernel-abi-whitelists Operating systems & Components / Operating system package or component python-perf Operating systems & Components / Operating system package or component perf Operating systems & Components / Operating system package or component kernel-tools-libs-devel Operating systems & Components / Operating system package or component kernel-tools-libs Operating systems & Components / Operating system package or component kernel-tools Operating systems & Components / Operating system package or component kernel-headers Operating systems & Components / Operating system package or component kernel-devel Operating systems & Components / Operating system package or component kernel-debug-devel Operating systems & Components / Operating system package or component kernel-debug Operating systems & Components / Operating system package or component kernel Operating systems & Components / Operating system package or component bpftool Operating systems & Components / Operating system package or component
Vendor	OpenAnolis

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Processor optimization removal or modification of security-critical code

EUVDB-ID: #VU88374

Risk: Medium

CVSSv4.0: 7.6 [CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/U:Green]

CVE-ID: CVE-2024-2201

CWE-ID: CWE-1037 - Processor optimization removal or modification of security-critical code

Exploit availability: No

Description

The vulnerability allows a malicious guest to escalate privileges on the system.

The vulnerability exists due to native branch history injection on x86 systems. A malicious guest can infer the contents of arbitrary host memory, including memory assigned to other guests and compromise the affected system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 7

kernel-doc: before 3.10.0-1160.125.1

kernel-abi-whitelists: before 3.10.0-1160.125.1

python-perf: before 3.10.0-1160.125.1

perf: before 3.10.0-1160.125.1

kernel-tools-libs-devel: before 3.10.0-1160.125.1

kernel-tools-libs: before 3.10.0-1160.125.1

kernel-tools: before 3.10.0-1160.125.1

kernel-headers: before 3.10.0-1160.125.1

kernel-devel: before 3.10.0-1160.125.1

kernel-debug-devel: before 3.10.0-1160.125.1

kernel-debug: before 3.10.0-1160.125.1

kernel: before 3.10.0-1160.125.1

bpftool: before 3.10.0-1160.125.1

CPE2.3

External links

https://anas.openanolis.cn/errata/detail/ANSA-2024:1117

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Out-of-bounds read

EUVDB-ID: #VU94956

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-41071

CWE-ID: CWE-125 - Out-of-bounds read