CVE-2024-42154: tcp_metrics: validate source addr length
In the Linux kernel, the following vulnerability has been resolved:
tcpmetrics: validate source addr length
I don't see anything checking that TCPMETRICSATTRSADDRIPV4 is at least 4 bytes long, and the policy doesn't have an entry for this attribute at all (neither does it for IPv6 but v6 is manually validated).
Other sources
Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by insufficient validation of the length of the source address for TCP metrics in the tcpmetrics subsystem. An attacker could exploit this vulnerability to lead to incorrect memory read.
— IBM
This CVE was automatically created from a reference found in an email or other text. If you are reading this, then this CVE entry is probably erroneous, since this text should be replaced by the official CVE description automatically.
— Launchpad
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2024-42154?
CVE-2024-42154 has a high severity rating due to a lack of validation in the Linux kernel regarding TCP metrics source address length.
How do I fix CVE-2024-42154?
To resolve CVE-2024-42154, update the Linux kernel to version 4.19.318, 5.4.280, 5.10.222, 5.15.163, 6.1.98, 6.6.39, 6.9.9, or 6.10.
Which Linux kernel versions are affected by CVE-2024-42154?
CVE-2024-42154 impacts multiple Linux kernel versions including those prior to 4.19.318, 5.4.280, 5.10.222, 5.15.163, 6.1.98, 6.6.39, and 6.9.9.
What types of systems are impacted by CVE-2024-42154?
CVE-2024-42154 affects systems running vulnerable versions of the Linux kernel across various distributions.
Is CVE-2024-42154 a remote code execution vulnerability?
CVE-2024-42154 is not classified as a remote code execution vulnerability, but it does expose the system to potential TCP metric manipulation.