AZL-40337

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-40337.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-40337

Upstream

CVE-2024-27038

Published

2024-05-01T13:15:49Z

Modified

2026-04-01T05:13:35.817855Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

CVE-2024-27038 affecting package hyperv-daemons for versions less than 6.6.29.1-1

Details

In the Linux kernel, the following vulnerability has been resolved:

clk: Fix clkcoreget NULL dereference

It is possible for clkcoreget to dereference a NULL in the following sequence:

clkcoreget() ofclkgethwfrom_clkspec() __ofclkgethwfrom_provider() __clkgethw()

__clkgethw() can return NULL which is dereferenced by clkcoreget() at hw->core.

Prior to commit dde4eff47c82 ("clk: Look for parents with clkdev based clklookups") the check ISERRORNULL() was performed which would have caught the NULL.

Reading the description of this function it talks about returning NULL but that cannot be so at the moment.

Update the function to check for hw before dereferencing it and return NULL if hw is NULL.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-27038

Affected packages

Azure Linux:3 / hyperv-daemons

Package

Name: hyperv-daemons
Purl: pkg:rpm/azure-linux/hyperv-daemons

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.6.29.1-1

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-40337.json"