CVE-2024-43837

CVSS 3.1 Score 5.5 of 10 (medium)

Details

Published Aug 17, 2024
Updated: Aug 19, 2024
CWE ID 476

Summary

CVE-2024-43837 is a vulnerability affecting the Linux kernel where a null pointer dereference occurs in the function `resolve_prog_type()` when loading an EXT program without specifying `attr->attach_prog_fd`. This results in `prog->aux->dst_prog` being null, leading to a kernel crash when the function is called. The issue was introduced by a commit meant to correct type resolution for BPF_PROG_TYPE_TRACING programs and affects the logic of determining the type of EXT programs not yet attached to `dst_prog`. To mitigate the issue, one can force `attach_prog_fd` to be non-empty when loading BPF programs or add a null check in `resolve_prog_type()`.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share