CVE-2024-43873

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-43873
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-43873.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-43873
Downstream
Related
Published
2024-08-21T01:15:11Z
Modified
2025-08-09T20:01:26Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

vhost/vsock: always initialize seqpacket_allow

There are two issues around seqpacketallow: 1. seqpacketallow is not initialized when socket is created. Thus if features are never set, it will be read uninitialized. 2. if VIRTIOVSOCKFSEQPACKET is set and then cleared, then seqpacketallow will not be cleared appropriately (existing apps I know about don't usually do this but it's legal and there's no way to be sure no one relies on this).

To fix: - initialize seqpacketallow after allocation - set it unconditionally in setfeatures

References

Affected packages