NULL pointer dereference in Linux kernel

#VU96847 NULL pointer dereference in Linux kernel

Published: 2024-09-05

Vulnerability identifier: #VU96847

Vulnerability risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-44989

CWE-ID: CWE-476

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the bond_ipsec_del_sa_all() function in drivers/net/bonding/bond_main.c. A local user can perform a denial of service (DoS) attack.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Linux kernel:

External links
http://git.kernel.org/stable/c/21816b696c172c19d53a30d45ee005cce246ed21
http://git.kernel.org/stable/c/2f72c6a66bcd7e0187ec085237fee5db27145294
http://git.kernel.org/stable/c/7fa9243391ad2afe798ef4ea2e2851947b95754f
http://git.kernel.org/stable/c/4582d4ff413a07d4ed8a4823c652dc5207760548
http://git.kernel.org/stable/c/89fc1dca79db5c3e7a2d589ecbf8a3661c65f436
http://git.kernel.org/stable/c/f8cde9805981c50d0c029063dc7d82821806fc44

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Debian update for linux

NULL pointer dereference in Linux kernel net bonding driver