CVE-2024-50254

CVSS 3.1 Score 5.5 of 10 (medium)

Details

Published Nov 9, 2024
Updated: Nov 14, 2024
CWE ID 401

Summary

CVE-2024-50254 is a vulnerability in the Linux kernel's bpf subsystem. The issue lies in the inaccurate check in bpf_iter_bits_destroy(), which may lead to a kmemleak. This occurs due to the incorrect assumption that nr_bits will not be zero after iterating all the bits. To mitigate the issue, modify the check in bpf_iter_bits_next() to use "!nr_bits || bits >= nr_bits," set kit->bit to kit->nr_bits instead of zeroing kit->nr_bits, and change the type of kit->nr_bits to int. This patch addresses the potential overflow problem and ensures proper handling of dynamically allocated bits.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share