5.5

CVE-2024-41079

nvmet: always initialize cqe.result

In the Linux kernel, the following vulnerability has been resolved:

nvmet: always initialize cqe.result

The spec doesn't mandate that the first two double words (aka results)
for the command queue entry need to be set to 0 when they are not
used (not specified). Though, the target implemention returns 0 for TCP
and FC but not for RDMA.

Let's make RDMA behave the same and thus explicitly initializing the
result field. This prevents leaking any data from the stack.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version < 6.1.101
LinuxLinux Kernel Version >= 6.2 < 6.6.42
LinuxLinux Kernel Version >= 6.7 < 6.9.11
LinuxLinux Kernel Version6.10 Updaterc1
LinuxLinux Kernel Version6.10 Updaterc2
LinuxLinux Kernel Version6.10 Updaterc3
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.26% 0.167
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.5 1.8 3.6
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Es wurden noch keine Informationen zu CWE veröffentlicht.
https://git.kernel.org/stable/c/0990e8a863645496b9e3f91cfcfd63cd95c80319
Patch
https://git.kernel.org/stable/c/10967873b80742261527a071954be8b54f0f8e4d
Patch
https://git.kernel.org/stable/c/30d35b24b7957922f81cfdaa66f2e1b1e9b9aed2
Patch
https://git.kernel.org/stable/c/cd0c1b8e045a8d2785342b385cb2684d9b48e426
Patch
https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
https://git.kernel.org/stable/c/c6a2cf8b0764f3ba7d9bff58c8775a6d4476bb29