Denial of service in Linux kernel mlxsw driver



Published: 2024-04-23
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2024-26586
CWE-ID CWE-787
Exploitation vector Local
Public exploit N/A
Vulnerable software
Subscribe 		Linux kernel
Operating systems & Components / Operating system

Vendor

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Out-of-bounds write

EUVDB-ID: #VU88935

Risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-26586

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error within the mlxsw_sp_acl_tcam_init() function in drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c. A local user can trigger stack corruption and crash the kernel.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Linux kernel: before 5.15.148

External links

http://git.kernel.org/stable/c/56750ea5d15426b5f307554e7699e8b5f76c3182
http://git.kernel.org/stable/c/348112522a35527c5bcba933b9fefb40a4f44f15
http://git.kernel.org/stable/c/2f5e1565740490706332c06f36211d4ce0f88e62
http://git.kernel.org/stable/c/a361c2c1da5dbb13ca67601cf961ab3ad68af383
http://git.kernel.org/stable/c/483ae90d8f976f8339cf81066312e1329f2d3706
http://git.kernel.org/stable/c/6fd24675188d354b1cad47462969afa2ab09d819


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###