CVE-2024-43854 — Missing Release of Memory after Effective Lifetime in Linux

CWE-401 — Missing Release of Memory after Effective Lifetime50 documents7 sources

Severity

5.5MEDIUMNVD

OSV8.8OSV7.8OSV7.1

EPSS

0.0%

top 93.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Linux Linux Kernel Debian Linux +9 more

Timeline

PublishedAug 17

Latest updateMar 13

Description

In the Linux kernel, the following vulnerability has been resolved: block: initialize integrity buffer to zero before writing it to media Metadata added by bio_integrity_prep is using plain kmalloc, which leads to random kernel memory being written media. For PI metadata this is limited to the app tag that isn't used by kernel generated metadata, but for non-PI metadata the entire buffer leaks kernel memory. Fix this by adding the __GFP_ZERO flag to allocations for writes.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages14 packages

▶NVDlinux/linux_kernel2.6.27 — 5.15.165+3

▶Debianlinux/linux_kernel< 5.10.226-1+3

▶Ubuntulinux/linux_kernel< 5.4.0-200.220+4

▶msrcmsrc/azl3_kernel_6.6.43.1-7_on_azure_linux_3.0

▶msrcmsrc/azl3_kernel_6.6.47.1-1_on_azure_linux_3.0

Patches

Patch: git.kernel.org ↗Patch: git.kernel.org ↗Patch: git.kernel.org ↗

🔴Vulnerability Details

OSV

linux-lts-xenial vulnerabilities↗2025-03-13

▶

OSV

linux-kvm vulnerabilities↗2025-03-11

▶

OSV

linux, linux-aws vulnerabilities↗2025-03-05

▶

OSV

linux-azure, linux-azure-6.8 vulnerabilities↗2025-01-09

▶

OSV

linux-azure-5.15 vulnerabilities↗2025-01-09

▶

📋Vendor Advisories

Ubuntu

Linux kernel vulnerabilities↗2025-03-13

▶

Ubuntu

Linux kernel vulnerabilities↗2025-03-11

▶

Ubuntu

Linux kernel vulnerabilities↗2025-03-05

▶

Ubuntu

Linux kernel (Azure) vulnerabilities↗2025-01-09

▶

Ubuntu

Linux kernel (Azure) vulnerabilities↗2025-01-09

▶