CVE-2024-44947

MEDIUM EPSS 54.5%
Published Sep 2, 20241y ago · Modified Jun 17, 20262w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Sep 2, 2024 1y ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: fuse: Initialize beyond-EOF page contents before setting uptodate fuse_notify_store(), unlike fuse_do_readpage(), does not enable page zeroing (because it can be used to change partial page contents). So fuse_notify_store() must be more careful to fully initialize page contents (including parts of the page that are beyond end-of-file) before marking the page uptodate. The current code can leave beyond-EOF page contents uninitialized, which makes these uninitialized page contents visible to userspace via mmap(). This is an information leak, but only affects systems which do not enable init-on-alloc (via CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y or the corresponding kernel command line parameter).

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
54.5% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-665

Affected Products 10

VendorProductVersionRange
linuxlinux_kernel*≥2.6.36  –  <4.19.321
linuxlinux_kernel*≥4.20  –  <5.4.283
linuxlinux_kernel*≥5.5  –  <5.10.225
linuxlinux_kernel*≥5.11  –  <5.15.166
linuxlinux_kernel*≥5.16  –  <6.1.107
linuxlinux_kernel*≥6.2  –  <6.6.48
linuxlinux_kernel*≥6.7  –  <6.10.7
linuxlinux_kernel6.11any
linuxlinux_kernel6.11any
linuxlinux_kernel6.11any

References 11

  • git.kernel.org https://git.kernel.org/stable/c/18a067240817bee8a9360539af5d79a4bf5398a5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/33168db352c7b56ae18aa55c2cae1a1c5905d30e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3c0da3d163eb32f1f91891efaade027fa9b245b9
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4690e2171f651e2b415e3941ce17f2f7b813aff6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/49934861514d36d0995be8e81bb3312a499d8d9a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/831433527773e665bdb635ab5783d0b95d1246f4
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8c78303eafbf85a728dd84d1750e89240c677dd9
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ac42e0f0eb66af966015ee33fd355bc6f5d80cd6
    Patch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
  • project-zero.issues.chromium.org https://project-zero.issues.chromium.org/issues/42451729

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/18a067240817bee8a9360539af5d79a4bf5398a5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/33168db352c7b56ae18aa55c2cae1a1c5905d30e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3c0da3d163eb32f1f91891efaade027fa9b245b9
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4690e2171f651e2b415e3941ce17f2f7b813aff6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/49934861514d36d0995be8e81bb3312a499d8d9a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/831433527773e665bdb635ab5783d0b95d1246f4
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8c78303eafbf85a728dd84d1750e89240c677dd9
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ac42e0f0eb66af966015ee33fd355bc6f5d80cd6
    Patch