CVE-2024-43845

udf: Fix bogus checksum computation in udf_rename()

Description

In the Linux kernel, the following vulnerability has been resolved: udf: Fix bogus checksum computation in udf_rename() Syzbot reports uninitialized memory access in udf_rename() when updating checksum of '..' directory entry of a moved directory. This is indeed true as we pass on-stack diriter.fi to the udf_update_tag() and because that has only struct fileIdentDesc included in it and not the impUse or name fields, the checksumming function is going to checksum random stack contents beyond the end of the structure. This is actually harmless because the following udf_fiiter_write_fi() will recompute the checksum from on-disk buffers where everything is properly included. So all that is needed is just removing the bogus calculation.

Category

3.3
CVSS
Severity: Low
CVSS 3.1 •
EPSS 0.04%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/9c439311c13fc6faab1921441165c9b8b500c83b patch
https://git.kernel.org/stable/c/c996b570305e7a6910c2ce4cdcd4c22757ffe241 patch
https://git.kernel.org/stable/c/fe2ead240c31e8d158713beca9d0681a6e6a53ab patch
https://git.kernel.org/stable/c/40d7b3ed52449d36143bab8d3e70926aa61a60f4 patch
https://git.kernel.org/stable/c/27ab33854873e6fb958cb074681a0107cc2ecc4c patch

Frequently Asked Questions

What is the severity of CVE-2024-43845?
CVE-2024-43845 has been scored as a low severity vulnerability.
How to fix CVE-2024-43845?
To fix CVE-2024-43845, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-43845 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-43845 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-43845?
CVE-2024-43845 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.