Input validation error in Linux kernel net phy driver



| Updated: 2025-05-12
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2024-50023
CWE-ID CWE-20
Exploitation vector Local
Public exploit N/A
Vulnerable software
 Linux kernel
Operating systems & Components / Operating system

Vendor Linux Foundation

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Input validation error

EUVDB-ID: #VU99196

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-50023

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the phy_led_hw_is_supported() function in drivers/net/phy/phy_device.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Linux kernel: 6.6 - 6.11.3

CPE2.3 External links

https://git.kernel.org/stable/c/143ffa7878e2d9d9c3836ee8304ce4930f7852a3
https://git.kernel.org/stable/c/fba363f4d244269a0ba7abb8df953a244c6749af
https://git.kernel.org/stable/c/f50b5d74c68e551667e265123659b187a30fe3a5
https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.11.4
https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12
https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.57


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###