Vulnerabilities > CVE-2024-43873 - Missing Initialization of Resource vulnerability in Linux Kernel
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
In the Linux kernel, the following vulnerability has been resolved: vhost/vsock: always initialize seqpacket_allow There are two issues around seqpacket_allow: 1. seqpacket_allow is not initialized when socket is created. Thus if features are never set, it will be read uninitialized. 2. if VIRTIO_VSOCK_F_SEQPACKET is set and then cleared, then seqpacket_allow will not be cleared appropriately (existing apps I know about don't usually do this but it's legal and there's no way to be sure no one relies on this). To fix: - initialize seqpacket_allow after allocation - set it unconditionally in set_features
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://git.kernel.org/stable/c/ea558f10fb05a6503c6e655a1b7d81fdf8e5924c
- https://git.kernel.org/stable/c/3062cb100787a9ddf45de30004b962035cd497fb
- https://git.kernel.org/stable/c/30bd4593669443ac58515e23557dc8cef70d8582
- https://git.kernel.org/stable/c/eab96e8716cbfc2834b54f71cc9501ad4eec963b
- https://git.kernel.org/stable/c/1e1fdcbdde3b7663e5d8faeb2245b9b151417d22