CVE-2024-26988Out-of-bounds Write in Linux

CWE-787Out-of-bounds Write20 documents9 sources
Severity
7.8HIGHNVD
EPSS
0.0%
top 98.44%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
LinuxLinux KernelDebian Linux+1 more
Timeline
PublishedMay 1
Latest updateSep 18

Description

In the Linux kernel, the following vulnerability has been resolved: init/main.c: Fix potential static_command_line memory overflow We allocate memory of size 'xlen + strlen(boot_command_line) + 1' for static_command_line, but the strings copied into static_command_line are extra_command_line and command_line, rather than extra_command_line and boot_command_line. When strlen(command_line) > strlen(boot_command_line), static_command_line will overflow. This patch just recovers strlen(command_l

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

NVDlinux/linux_kernel5.15.10.216+5
Debianlinux/linux_kernel< 5.10.216-1+3
CVEListV5linux/linuxf5c7310ac73ea270e3a1acdb73d1b4817f11fd672ef607ea103616aec0289f1b65d103d499fa903a+6

Also affects: Debian Linux 10.0, Fedora 38, 39, 40

Patches

Patch: git.kernel.orgPatch: git.kernel.orgPatch: git.kernel.org

🔴Vulnerability Details

3
CVEList
init/main.c: Fix potential static_command_line memory overflow2024-05-01
GHSA
GHSA-h5cg-5c4w-8jch: In the Linux kernel, the following vulnerability has been resolved: init/main2024-05-01
OSV
CVE-2024-26988: In the Linux kernel, the following vulnerability has been resolved: init/main2024-05-01

📋Vendor Advisories

15
Ubuntu
Linux kernel vulnerabilities2024-09-18
Ubuntu
Linux kernel vulnerabilities2024-07-30
Ubuntu
Linux kernel vulnerabilities2024-07-26
Ubuntu
Linux kernel vulnerabilities2024-07-26
Ubuntu
Linux kernel vulnerabilities2024-07-26

💬Community

1
Bugzilla
CVE-2024-26988 kernel: init/main.c: Fix potential static_command_line memory overflow2024-05-01
CVE-2024-26988 — Out-of-bounds Write in Linux | cvebase