CVE-2024-41079
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
29/07/2024
Last modified:
03/11/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
nvmet: always initialize cqe.result<br />
<br />
The spec doesn&#39;t mandate that the first two double words (aka results)<br />
for the command queue entry need to be set to 0 when they are not<br />
used (not specified). Though, the target implemention returns 0 for TCP<br />
and FC but not for RDMA.<br />
<br />
Let&#39;s make RDMA behave the same and thus explicitly initializing the<br />
result field. This prevents leaking any data from the stack.
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.1.101 (excluding) | |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.42 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.9.11 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.10:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.10:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.10:rc3:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/0990e8a863645496b9e3f91cfcfd63cd95c80319
- https://git.kernel.org/stable/c/10967873b80742261527a071954be8b54f0f8e4d
- https://git.kernel.org/stable/c/30d35b24b7957922f81cfdaa66f2e1b1e9b9aed2
- https://git.kernel.org/stable/c/cd0c1b8e045a8d2785342b385cb2684d9b48e426
- https://git.kernel.org/stable/c/0990e8a863645496b9e3f91cfcfd63cd95c80319
- https://git.kernel.org/stable/c/10967873b80742261527a071954be8b54f0f8e4d
- https://git.kernel.org/stable/c/30d35b24b7957922f81cfdaa66f2e1b1e9b9aed2
- https://git.kernel.org/stable/c/cd0c1b8e045a8d2785342b385cb2684d9b48e426
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html