#VU94117 Input validation error in Linux kernel - CVE-2024-38558
Vulnerability identifier: #VU94117
Vulnerability risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID:
CWE-ID:
CWE-20
Exploitation vector: Local network
Exploit availability: No
Vulnerable software:
Linux kernel
Operating systems & Components /
Operating system
Vendor: Linux Foundation
Description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when parsing ICMPv6 packets within the parse_icmpv6() function in net/openvswitch/flow.c. A remote attacker can send specially crafted packets to the system and perform a denial of service (DoS) attack.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Linux kernel: All versions
External links
https://git.kernel.org/stable/c/6a51ac92bf35d34b4996d6eb67e2fe469f573b11
https://git.kernel.org/stable/c/0b532f59437f688563e9c58bdc1436fefa46e3b5
https://git.kernel.org/stable/c/5ab6aecbede080b44b8e34720ab72050bf1e6982
https://git.kernel.org/stable/c/483eb70f441e2df66ade78aa7217e6e4caadfef3
https://git.kernel.org/stable/c/9ec8b0ccadb908d92f7ee211a4eff05fd932f3f6
https://git.kernel.org/stable/c/78741b4caae1e880368cb2f5110635f3ce45ecfd
https://git.kernel.org/stable/c/431e9215576d7b728f3f53a704d237a520092120
https://git.kernel.org/stable/c/d73fb8bddf89503c9fae7c42e50d44c89909aad6
https://git.kernel.org/stable/c/7c988176b6c16c516474f6fceebe0f055af5eb56
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
