CVE-2024-44947

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-44947

5.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

I

n the Linux kernel, the following vulnerability has been resolved: fuse: Initialize beyond-EOF page contents before setting uptodate fuse_notify_store(), unlike fuse_do_readpage(), does not enable page zeroing (because it can be used to change partial page contents). So fuse_notify_store() must be more careful to fully initialize page contents (including parts of the page that are beyond end-of-file) before marking the page uptodate. The current code can leave beyond-EOF page contents uninitialized, which makes these uninitialized page contents visible to userspace via mmap(). This is an information leak, but only affects systems which do not enable init-on-alloc (via CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y or the corresponding kernel command line parameter).

References
Link Resource
https://git.kernel.org/stable/c/18a067240817bee8a9360539af5d79a4bf5398a5 Patch
https://git.kernel.org/stable/c/33168db352c7b56ae18aa55c2cae1a1c5905d30e Patch
https://git.kernel.org/stable/c/3c0da3d163eb32f1f91891efaade027fa9b245b9 Patch
https://git.kernel.org/stable/c/4690e2171f651e2b415e3941ce17f2f7b813aff6 Patch
https://git.kernel.org/stable/c/49934861514d36d0995be8e81bb3312a499d8d9a Patch
https://git.kernel.org/stable/c/831433527773e665bdb635ab5783d0b95d1246f4 Patch
https://git.kernel.org/stable/c/8c78303eafbf85a728dd84d1750e89240c677dd9 Patch
https://git.kernel.org/stable/c/ac42e0f0eb66af966015ee33fd355bc6f5d80cd6 Patch
https://project-zero.issues.chromium.org/issues/42451729
https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html
https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:*
History

03 Nov 2025, 23:15

Type Values Removed Values Added
References
  • () https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html -
  • () https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html -

23 Nov 2024, 23:15

Type Values Removed Values Added
References
  • () https://project-zero.issues.chromium.org/issues/42451729 -

16 Sep 2024, 17:47

Type Values Removed Values Added
CPE cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
First Time Linux
Linux linux Kernel
References () https://git.kernel.org/stable/c/18a067240817bee8a9360539af5d79a4bf5398a5 - () https://git.kernel.org/stable/c/18a067240817bee8a9360539af5d79a4bf5398a5 - Patch
References () https://git.kernel.org/stable/c/33168db352c7b56ae18aa55c2cae1a1c5905d30e - () https://git.kernel.org/stable/c/33168db352c7b56ae18aa55c2cae1a1c5905d30e - Patch
References () https://git.kernel.org/stable/c/3c0da3d163eb32f1f91891efaade027fa9b245b9 - () https://git.kernel.org/stable/c/3c0da3d163eb32f1f91891efaade027fa9b245b9 - Patch
References () https://git.kernel.org/stable/c/4690e2171f651e2b415e3941ce17f2f7b813aff6 - () https://git.kernel.org/stable/c/4690e2171f651e2b415e3941ce17f2f7b813aff6 - Patch
References () https://git.kernel.org/stable/c/49934861514d36d0995be8e81bb3312a499d8d9a - () https://git.kernel.org/stable/c/49934861514d36d0995be8e81bb3312a499d8d9a - Patch
References () https://git.kernel.org/stable/c/831433527773e665bdb635ab5783d0b95d1246f4 - () https://git.kernel.org/stable/c/831433527773e665bdb635ab5783d0b95d1246f4 - Patch
References () https://git.kernel.org/stable/c/8c78303eafbf85a728dd84d1750e89240c677dd9 - () https://git.kernel.org/stable/c/8c78303eafbf85a728dd84d1750e89240c677dd9 - Patch
References () https://git.kernel.org/stable/c/ac42e0f0eb66af966015ee33fd355bc6f5d80cd6 - () https://git.kernel.org/stable/c/ac42e0f0eb66af966015ee33fd355bc6f5d80cd6 - Patch
CWE CWE-665
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 5.5

04 Sep 2024, 12:15

Type Values Removed Values Added
References
  • () https://git.kernel.org/stable/c/33168db352c7b56ae18aa55c2cae1a1c5905d30e -
  • () https://git.kernel.org/stable/c/4690e2171f651e2b415e3941ce17f2f7b813aff6 -
  • () https://git.kernel.org/stable/c/49934861514d36d0995be8e81bb3312a499d8d9a -
  • () https://git.kernel.org/stable/c/8c78303eafbf85a728dd84d1750e89240c677dd9 -

03 Sep 2024, 12:59

Type Values Removed Values Added
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: fuse: inicializar el contenido de la página más allá del EOF antes de configurar uptodate fuse_notify_store(), a diferencia de fuse_do_readpage(), no habilita la puesta a cero de la página (porque se puede usar para cambiar el contenido parcial de la página). Por lo tanto, fuse_notify_store() debe ser más cuidadoso para inicializar por completo el contenido de la página (incluidas las partes de la página que están más allá del fin del archivo) antes de marcar la página como actualizada. El código actual puede dejar el contenido de la página más allá del EOF sin inicializar, lo que hace que este contenido de página no inicializado sea visible para el espacio de usuario a través de mmap(). Esta es una fuga de información, pero solo afecta a los sistemas que no habilitan init-on-alloc (a través de CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y o el parámetro de línea de comandos del kernel correspondiente).

02 Sep 2024, 18:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-09-02 18:15

Updated : 2025-11-03 23:15

NVD link : CVE-2024-44947

Mitre link : CVE-2024-44947

CVE.ORG link : CVE-2024-44947

JSON object : View

Products Affected

linux

CWE
CWE-665

Improper Initialization