#VU94236 Out-of-bounds read in Linux kernel - CVE-2024-40953

Cybersecurity Help s.r.o.

Published: 2024-07-13

Vulnerability identifier: #VU94236

Vulnerability risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-40953

CWE-ID: CWE-125

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to an out-of-bounds read error within the kvm_vcpu_on_spin() function in virt/kvm/kvm_main.c. A local user can perform a denial of service (DoS) attack.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Linux kernel: All versions

External links
https://git.kernel.org/stable/c/92c77807d938145c7c3350c944ef9f39d7f6017c
https://git.kernel.org/stable/c/a937ef951bba72f48d2402451419d725d70dba20
https://git.kernel.org/stable/c/95c8dd79f3a14df96b3820b35b8399bd91b2be60
https://git.kernel.org/stable/c/49f683b41f28918df3e51ddc0d928cb2e934ccdb

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Ubuntu update for linux-iot

Ubuntu update for linux-aws-5.4

Ubuntu update for linux-fips

Ubuntu update for linux-nvidia-tegra

Ubuntu update for linux-xilinx-zynqmp

Ubuntu update for linux-aws-5.15

Ubuntu update for linux-hwe-5.15

Ubuntu update for linux-kvm

Ubuntu update for linux-ibm

Ubuntu update for linux-aws