CVE-2024-42098

crypto: ecdh - explicitly zeroize private_key

Description

In the Linux kernel, the following vulnerability has been resolved: crypto: ecdh - explicitly zeroize private_key private_key is overwritten with the key parameter passed in by the caller (if present), or alternatively a newly generated private key. However, it is possible that the caller provides a key (or the newly generated key) which is shorter than the previous key. In that scenario, some key material from the previous key would not be overwritten. The easiest solution is to explicitly zeroize the entire private_key array first. Note that this patch slightly changes the behavior of this function: previously, if the ecc_gen_privkey failed, the old private_key would remain. Now, the private_key is always zeroized. This behavior is consistent with the case where params.key is set and ecc_is_key_valid fails.

N/A
CVSS
Severity:
EPSS 0.10%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/39173b04abda87872b43c331468a4a14f8f05ce8
https://git.kernel.org/stable/c/fd7ef325911eba1b7191b83cb580463242f2090d
https://git.kernel.org/stable/c/80575b252ab0358b7e93895b2a510beb3cb3f975
https://git.kernel.org/stable/c/d96187eb8e59b572a8e6a68b6a9837a867ea29df
https://git.kernel.org/stable/c/73e5984e540a76a2ee1868b91590c922da8c24c9

Frequently Asked Questions

What is the severity of CVE-2024-42098?
CVE-2024-42098 has not yet been assigned a CVSS score.
How to fix CVE-2024-42098?
To fix CVE-2024-42098, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-42098 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-42098 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-42098?
CVE-2024-42098 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.