Updated: 2024-12-19 11:38:55.984525
Description:
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix out-of-bounds write in trie_get_next_key() trie_get_next_key() allocates a node stack with size trie->max_prefixlen, while it writes (trie->max_prefixlen + 1) nodes to the stack when it has full paths from the root to leaves. For example, consider a trie with max_prefixlen is 8, and the nodes with key 0x00/0, 0x00/1, 0x00/2, ... 0x00/8 inserted. Subsequent calls to trie_get_next_key with _key with .prefixlen = 8 make 9 nodes be written on the node stack with size 8.
Links | NIST | CIRCL | RHEL | Ubuntu |
Severity | Score | |
---|---|---|
CVSS Version 2.x | 0 | |
CVSS Version 3.x | HIGH | 7.8 |
OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
---|---|---|---|---|---|---|---|---|
AlmaLinux 9.2 ESU | kernel | 5.14.0 | 7.8 | HIGH | Released | CLSA-2025:1738671431 | 2025-02-05 02:21:12 | |
AlmaLinux 9.2 FIPS | kernel | 5.14.0 | 7.8 | HIGH | Released | CLSA-2025:1738670922 | 2025-02-05 02:21:08 | |
CentOS 8.4 ELS | kernel | 4.18.0 | 7.8 | HIGH | In Testing | CLSA-2025:1736778412 | 2025-02-01 23:54:45 | |
CentOS 8.5 ELS | kernel | 4.18.0 | 7.8 | HIGH | In Testing | CLSA-2025:1736778632 | 2025-02-11 00:36:40 | |
CentOS Stream 8 ELS | kernel | 4.18.0 | 7.8 | HIGH | In Testing | CLSA-2025:1736783731 | 2025-02-01 23:54:44 |