CVE-2024-42070

MEDIUM

Linux Kernel < 3.13 - Memory Leak

Title source: rule

Description

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers register store validation for NFT_DATA_VALUE is conditional, however, the datatype is always either NFT_DATA_VALUE or NFT_DATA_VERDICT. This only requires a new helper function to infer the register type from the set datatype so this conditional check can be removed. Otherwise, pointer to chain object can be leaked through the registers.

References (9)

[Mailing List] https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html

[Patch] https://git.kernel.org/stable/c/23752737c6a618e994f9a310ec2568881a6b49c4

[Patch] https://git.kernel.org/stable/c/40188a25a9847dbeb7ec67517174a835a677752f

[Patch] https://git.kernel.org/stable/c/41a6375d48deaf7f730304b5153848bfa1c2980f

[Patch] https://git.kernel.org/stable/c/461302e07f49687ffe7d105fa0a330c07c7646d8

[Patch] https://git.kernel.org/stable/c/5d43d789b57943720dca4181a05f6477362b94cf

[Patch] https://git.kernel.org/stable/c/7931d32955e09d0a11b1fe0b6aac1bfa061c005c

[Patch] https://git.kernel.org/stable/c/952bf8df222599baadbd4f838a49c4fef81d2564

[Patch] https://git.kernel.org/stable/c/efb27ad05949403848f487823b597ed67060e007

Scores

CVSS v3 5.5

EPSS 0.0001

EPSS Percentile 1.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Classification

CWE

CWE-401

Status published

Affected Products (1)

linux/linux_kernel < 3.13

Timeline

Published Jul 29, 2024

Tracked Since Feb 18, 2026