CVE-2024-44947

Updated: 2024-11-30 04:22:32.470391

Description:

In the Linux kernel, the following vulnerability has been resolved: fuse: Initialize beyond-EOF page contents before setting uptodate fuse_notify_store(), unlike fuse_do_readpage(), does not enable page zeroing (because it can be used to change partial page contents). So fuse_notify_store() must be more careful to fully initialize page contents (including parts of the page that are beyond end-of-file) before marking the page uptodate. The current code can leave beyond-EOF page contents uninitialized, which makes these uninitialized page contents visible to userspace via mmap(). This is an information leak, but only affects systems which do not enable init-on-alloc (via CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y or the corresponding kernel command line parameter).


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x 0
CVSS Version 3.x MEDIUM 5.5

Status

OS name Project name Version Score Severity Status Errata Last updated

Statement

AlmaLinux 9.2 ESU kernel 5.14.0 5.5 MEDIUM Needs Triage 2024-11-12 11:57:28
AlmaLinux 9.2 FIPS kernel 5.14.0 5.5 MEDIUM Ignored 2024-09-23 05:22:25
CentOS 7 ELS kernel 3.10.0 5.5 MEDIUM Ignored 2024-09-23 05:22:25
CentOS 8.4 ELS kernel 4.18.0 5.5 MEDIUM Ignored 2024-09-23 05:22:25
CentOS 8.5 ELS kernel 4.18.0 5.5 MEDIUM Ignored 2024-09-23 05:22:25
CentOS Stream 8 ELS kernel 4.18.0 5.5 MEDIUM Ignored 2024-09-23 05:22:24
CloudLinux 7 ELS kernel 3.10.0 5.5 MEDIUM Ignored 2024-09-23 05:22:24
Oracle Linux 7 ELS kernel 3.10.0 5.5 MEDIUM Ignored 2024-12-03 12:09:22
Ubuntu 16.04 ELS linux-hwe 4.15.0 5.5 MEDIUM Released CLSA-2024:1731603700 2024-11-14 12:18:29
Ubuntu 16.04 ELS linux 4.4.0 5.5 MEDIUM Released CLSA-2024:1731605761 2024-11-14 16:44:55
Total: 11