CVE-2024-41079

nvmet: always initialize cqe.result

Description

In the Linux kernel, the following vulnerability has been resolved: nvmet: always initialize cqe.result The spec doesn't mandate that the first two double words (aka results) for the command queue entry need to be set to 0 when they are not used (not specified). Though, the target implemention returns 0 for TCP and FC but not for RDMA. Let's make RDMA behave the same and thus explicitly initializing the result field. This prevents leaking any data from the stack.

N/A

CVSS

Severity:

EPSS 0.12%

Affected: Linux Linux

References

Link	Tags
https://git.kernel.org/stable/c/30d35b24b7957922f81cfdaa66f2e1b1e9b9aed2
https://git.kernel.org/stable/c/10967873b80742261527a071954be8b54f0f8e4d
https://git.kernel.org/stable/c/0990e8a863645496b9e3f91cfcfd63cd95c80319
https://git.kernel.org/stable/c/cd0c1b8e045a8d2785342b385cb2684d9b48e426

Frequently Asked Questions

What is the severity of CVE-2024-41079?: CVE-2024-41079 has not yet been assigned a CVSS score.
How to fix CVE-2024-41079?: To fix CVE-2024-41079, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-41079 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2024-41079 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-41079?: CVE-2024-41079 affects Linux Linux, Linux Linux.

This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.