CVE-2024-26973

MEDIUM

Linux Kernel - Information Disclosure via Uninitialized FAT File Handle

Title source: llm
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: fat: fix uninitialized field in nostale filehandles When fat_encode_fh_nostale() encodes file handle without a parent it stores only first 10 bytes of the file handle. However the length of the file handle must be a multiple of 4 so the file handle is actually 12 bytes long and the last two bytes remain uninitialized. This is not great at we potentially leak uninitialized information with the handle to userspace. Properly initialize the full handle length.

References (13)

Core 13
Core References

Scores

CVSS v3 5.5
EPSS 0.0026
EPSS Percentile 16.8%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-908
Status published
Products (30)
debian/debian_linux 10.0
linux/Kernel 3.10.0 - 4.19.312linux
linux/Kernel 4.20.0 - 5.4.274linux
linux/Kernel 5.11.0 - 5.15.154linux
linux/Kernel 5.16.0 - 6.1.84linux
linux/Kernel 5.5.0 - 5.10.215linux
linux/Kernel 6.2.0 - 6.6.24linux
linux/Kernel 6.7.0 - 6.7.12linux
linux/Kernel 6.8.0 - 6.8.3linux
Linux/Linux < 3.10
... and 20 more
Published May 01, 2024
Tracked Since Feb 18, 2026