CVE-2024-43854

MEDIUM

Linux Kernel < 5.15.165 - Memory Leak

Title source: rule

Description

In the Linux kernel, the following vulnerability has been resolved: block: initialize integrity buffer to zero before writing it to media Metadata added by bio_integrity_prep is using plain kmalloc, which leads to random kernel memory being written media. For PI metadata this is limited to the app tag that isn't used by kernel generated metadata, but for non-PI metadata the entire buffer leaks kernel memory. Fix this by adding the __GFP_ZERO flag to allocations for writes.

References (10)

[Mailing List] https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html

[Mailing List] https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html

[Patch] https://git.kernel.org/stable/c/129f95948a96105c1fad8e612c9097763e88ac5f

[Patch] https://git.kernel.org/stable/c/3fd11fe4f20756b4c0847f755a64cd96f8c6a005

[Patch] https://git.kernel.org/stable/c/9f4af4cf08f9a0329ade3d938f55d2220c40d0a6

[Patch] https://git.kernel.org/stable/c/23a19655fb56f241e592041156dfb1c6d04da644

[Patch] https://git.kernel.org/stable/c/899ee2c3829c5ac14bfc7d3c4a5846c0b709b78f

[Patch] https://git.kernel.org/stable/c/cf6b45ea7a8df0f61bded1dc4a8561ac6ad143d2

[Patch] https://git.kernel.org/stable/c/d418313bd8f55c079a7da12651951b489a638ac1

[Patch] https://git.kernel.org/stable/c/ebc0e91ba76dc6544fff9f5b66408b1982806a00

Scores

CVSS v3 5.5

EPSS 0.0002

EPSS Percentile 5.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Classification

CWE

CWE-401

Status published

Affected Products (8)

linux/linux_kernel < 5.15.165

linux/Kernel < 4.19.322linux

linux/Kernel < 5.4.284linux

linux/Kernel < 5.10.226linux

linux/Kernel < 5.15.165linux

linux/Kernel < 6.1.103linux

linux/Kernel < 6.6.44linux

linux/Kernel < 6.10.3linux

Timeline

Published Aug 17, 2024

Tracked Since Feb 18, 2026