CVE-2024-41052

MEDIUM

Linux Kernel 6.6.36-6.6.40 and 6.9.7-6.9.9 - Use of Uninitialized Resource in VFIO PCI Hot-Reset Device Counting

Title source: llm

Description

In the Linux kernel, the following vulnerability has been resolved: vfio/pci: Init the count variable in collecting hot-reset devices The count variable is used without initialization, it results in mistakes in the device counting and crashes the userspace if the get hot reset info path is triggered.

References (3)

Core 3

Core References

Patch

https://git.kernel.org/stable/c/f476dffc52ea70745dcabf63288e770e50ac9ab3

Patch

https://git.kernel.org/stable/c/f44136b9652291ac1fc39ca67c053ac624d0d11b

Patch

https://git.kernel.org/stable/c/5a88a3f67e37e39f933b38ebb4985ba5822e9eca

Scores

CVSS v3 5.5

EPSS 0.0027

EPSS Percentile 18.7%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-908

Status published

Products (8)

linux/Kernel 6.6.36 - 6.6.41linux

linux/Kernel 6.9.7 - 6.9.10linux

Linux/Linux 6.6.36 - 6.6.41

Linux/Linux 6.9.7 - 6.9.10

Linux/Linux 618fbf4c910a06a3aa6a8b88a5fb1f2197f964f3 - f476dffc52ea70745dcabf63288e770e50ac9ab3

Linux/Linux 9313244c26f3792daa86f3a18cc3bd5ad60310e0 - f44136b9652291ac1fc39ca67c053ac624d0d11b

Linux/Linux f6944d4a0b87c16bc34ae589169e1ded3d4db08e - 5a88a3f67e37e39f933b38ebb4985ba5822e9eca

linux/linux_kernel 6.6.36 - 6.6.41

Published Jul 29, 2024

Tracked Since Feb 18, 2026