#VU94249 NULL pointer dereference in Linux kernel - CVE-2024-40951


Vulnerability identifier: #VU94249

Vulnerability risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-40951

CWE-ID: CWE-476

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the ocfs2_fill_super() function in fs/ocfs2/super.c, within the to_ocfs2_trigger(), ocfs2_db_frozen_trigger() and __ocfs2_journal_access() functions in fs/ocfs2/journal.c. A local user can perform a denial of service (DoS) attack.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Linux kernel: All versions

External links
https://git.kernel.org/stable/c/67bcecd780609f471260a8c83fb0ae15f27734ce
https://git.kernel.org/stable/c/eb63357ef229fae061ce7ce2839d558681c42f1a
https://git.kernel.org/stable/c/685d03c3795378fca6a1b3d43581f7f1a3fc095f

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Ubuntu update for linux-hwe-6.8
Ubuntu update for linux-raspi
Ubuntu update for linux-nvidia-6.8
Ubuntu update for linux-lowlatency-hwe-6.8
Ubuntu update for linux-azure
Ubuntu update for linux-nvidia
Ubuntu update for linux
openEuler 24.03 LTS update for kernel
NULL pointer dereference in Linux kernel ocfs2