CVE-2024-35905Improper Validation of Array Index in Linux

CWE-129Improper Validation of Array IndexCWE-190Integer Overflow or Wraparound30 documents7 sources
Severity
7.8HIGHNVD
OSV6.8OSV5.5
EPSS
0.0%
top 91.81%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
LinuxLinux KernelDebian Linux+1 more
Timeline
PublishedMay 19
Latest updateSep 18

Description

In the Linux kernel, the following vulnerability has been resolved: bpf: Protect against int overflow for stack access size This patch re-introduces protection against the size of access to stack memory being negative; the access size can appear negative as a result of overflowing its signed int representation. This should not actually happen, as there are other protections along the way, but we should protect against it anyway. One code path was missing such protections (fixed in the previous

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages5 packages

NVDlinux/linux_kernel5.10.2095.10.215+5
Debianlinux/linux_kernel< 5.10.216-1+3
Ubuntulinux/linux_kernel< 5.15.0-116.126+1
CVEListV5linux/linuxafea95d319ccb4ad2060dece9ac5e2e364dec5439970e059af471478455f9534e8c3db82f8c5496d+7
debiandebian/linux< linux 6.1.85-1 (bookworm)

Also affects: Debian Linux 10.0

Patches

Patch: git.kernel.orgPatch: git.kernel.orgPatch: git.kernel.org

🔴Vulnerability Details

14
OSV
linux-xilinx-zynqmp vulnerabilities2024-09-18
OSV
linux-gcp-5.15 vulnerabilities2024-07-30
OSV
linux-raspi vulnerabilities2024-07-26
OSV
linux-oracle vulnerabilities2024-07-26
OSV
linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15 vulnerabilities2024-07-26

📋Vendor Advisories

14
Ubuntu
Linux kernel vulnerabilities2024-09-18
Ubuntu
Linux kernel vulnerabilities2024-07-30
Ubuntu
Linux kernel vulnerabilities2024-07-26
Ubuntu
Linux kernel vulnerabilities2024-07-26
Ubuntu
Linux kernel vulnerabilities2024-07-26

💬Community

1
Bugzilla
CVE-2024-35905 kernel: bpf: Protect against int overflow for stack access size2024-05-20