AZL-42857

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-42857.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-42857

Upstream

CVE-2024-36477

Published

2024-06-21T12:15:11Z

Modified

2026-04-01T05:14:52.589936Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

CVE-2024-36477 affecting package kernel for versions less than 5.15.160.1-1

Details

In the Linux kernel, the following vulnerability has been resolved:

tpmtisspi: Account for SPI header when allocating TPM SPI xfer buffer

The TPM SPI transfer mechanism uses MAXSPIFRAMESIZE for computing the maximum transfer length and the size of the transfer buffer. As such, it does not account for the 4 bytes of header that prepends the SPI data frame. This can result in out-of-bounds accesses and was confirmed with KASAN.

Introduce SPI_HDRSIZE to account for the header and use to allocate the transfer buffer.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-36477

Affected packages

Azure Linux:2 / kernel

Package

Name: kernel
Purl: pkg:rpm/azure-linux/kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.15.160.1-1

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-42857.json"