#VU98970 NULL pointer dereference in Linux kernel - CVE-2024-49863

Vulnerability identifier: #VU98970

Vulnerability risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-49863

CWE-ID: CWE-476

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the vhost_scsi_get_req() function in drivers/vhost/scsi.c. A local user can perform a denial of service (DoS) attack.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Linux kernel: All versions

---

External links
https://git.kernel.org/stable/c/6592347f06e2b19a624270a85ad4b3ae48c3b241
https://git.kernel.org/stable/c/46128370a72c431df733af5ebb065c4d48c9ad39
https://git.kernel.org/stable/c/ace9c778a214da9c98d7b69d904d1b0816f4f681
https://git.kernel.org/stable/c/25613e6d9841a1f9fb985be90df921fa99f800de
https://git.kernel.org/stable/c/00fb5b23e1c9cdbe496f5cd6b40367cb895f6c93
https://git.kernel.org/stable/c/61517f33e76d2c5247c1e61e668693afe5b67e6f
https://git.kernel.org/stable/c/221af82f606d928ccef19a16d35633c63026f1be

---

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.