CVE-2024-42154

tcp_metrics: validate source addr length

Description

In the Linux kernel, the following vulnerability has been resolved: tcp_metrics: validate source addr length I don't see anything checking that TCP_METRICS_ATTR_SADDR_IPV4 is at least 4 bytes long, and the policy doesn't have an entry for this attribute at all (neither does it for IPv6 but v6 is manually validated).

Category

4.4
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.06%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/19d997b59fa1fd7a02e770ee0881c0652b9c32c9 mailing list patch
https://git.kernel.org/stable/c/2a2e79dbe2236a1289412d2044994f7ab419b44c mailing list patch
https://git.kernel.org/stable/c/cdffc358717e436bb67122bb82c1a2a26e050f98 mailing list patch
https://git.kernel.org/stable/c/ef7c428b425beeb52b894e16f1c4b629d6cebfb6 mailing list patch
https://git.kernel.org/stable/c/31f03bb04146c1c6df6c03e9f45401f5f5a985d3 mailing list patch
https://git.kernel.org/stable/c/8c2debdd170e395934ac0e039748576dfde14e99 mailing list patch
https://git.kernel.org/stable/c/3d550dd5418729a6e77fe7721d27adea7152e321 mailing list patch
https://git.kernel.org/stable/c/66be40e622e177316ae81717aa30057ba9e61dff mailing list patch
http://www.openwall.com/lists/oss-security/2024/09/24/3
http://www.openwall.com/lists/oss-security/2024/09/24/4
http://www.openwall.com/lists/oss-security/2024/09/25/3
https://security.netapp.com/advisory/ntap-20240828-0010/

Frequently Asked Questions

What is the severity of CVE-2024-42154?
CVE-2024-42154 has been scored as a medium severity vulnerability.
How to fix CVE-2024-42154?
To fix CVE-2024-42154, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-42154 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-42154 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-42154?
CVE-2024-42154 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.