AZL-48504

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-48504.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-48504

Upstream

CVE-2024-43873

Published

2024-08-21T01:15:11Z

Modified

2026-04-01T05:17:12.629101Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

CVE-2024-43873 affecting package kernel for versions less than 5.15.167.1-1

Details

In the Linux kernel, the following vulnerability has been resolved:

vhost/vsock: always initialize seqpacket_allow

There are two issues around seqpacketallow: 1. seqpacketallow is not initialized when socket is created. Thus if features are never set, it will be read uninitialized. 2. if VIRTIOVSOCKFSEQPACKET is set and then cleared, then seqpacketallow will not be cleared appropriately (existing apps I know about don't usually do this but it's legal and there's no way to be sure no one relies on this).

To fix: - initialize seqpacketallow after allocation - set it unconditionally in setfeatures

References

https://nvd.nist.gov/vuln/detail/CVE-2024-43873

Affected packages

Azure Linux:2 / kernel

Package

Name: kernel
Purl: pkg:rpm/azure-linux/kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.15.167.1-1

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-48504.json"