#VU102963 Integer overflow in Linux kernel - CVE-2024-57890
Vulnerability identifier: #VU102963
Vulnerability risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID:
CWE-ID:
CWE-190
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
Linux kernel
Operating systems & Components /
Operating system
Vendor: Linux Foundation
Description
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to integer overflow within the uverbs_request_next_ptr(), ib_uverbs_post_send() and ib_uverbs_unmarshall_recv() functions in drivers/infiniband/core/uverbs_cmd.c. A local user can execute arbitrary code.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Linux kernel: All versions
External links
https://git.kernel.org/stable/c/346db03e9926ab7117ed9bf19665699c037c773c
https://git.kernel.org/stable/c/42a6eb4ed7a9a41ba0b83eb0c7e0225b5fca5608
https://git.kernel.org/stable/c/b3ef4ae713360501182695dd47d6b4f6e1a43eb8
https://git.kernel.org/stable/c/b92667f755749cf10d9ef1088865c555ae83ffb7
https://git.kernel.org/stable/c/c2f961c46ea0e5274c5c320d007c2dd949cf627a
https://git.kernel.org/stable/c/c57721b24bd897338a81a0ca5fff41600f0f1ad1
https://git.kernel.org/stable/c/d0257e089d1bbd35c69b6c97ff73e3690ab149a9
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
