NULL pointer dereference in Linux kernel block zram driver

1) NULL pointer dereference

EUVDB-ID: #VU102129

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-53222

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the zram_add() function in drivers/block/zram/zram_drv.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Linux kernel: 6.6 - 6.12.1

CPE2.3

• cpe:2.3:o:linux_foundation:linux_kernel:6.6:*:*:*:*:*:*:*
• cpe:2.3:o:linux_foundation:linux_kernel:6.6:rc1:*:*:*:*:*:*
• cpe:2.3:o:linux_foundation:linux_kernel:6.6:rc2:*:*:*:*:*:*
• cpe:2.3:o:linux_foundation:linux_kernel:6.6:rc3:*:*:*:*:*:*
• cpe:2.3:o:linux_foundation:linux_kernel:6.6:rc4:*:*:*:*:*:*
• cpe:2.3:o:linux_foundation:linux_kernel:6.6:rc5:*:*:*:*:*:*
• cpe:2.3:o:linux_foundation:linux_kernel:6.6:rc6:*:*:*:*:*:*
• cpe:2.3:o:linux_foundation:linux_kernel:6.6.1:*:*:*:*:*:*:*
• cpe:2.3:o:linux_foundation:linux_kernel:6.6.2:*:*:*:*:*:*:*
• cpe:2.3:o:linux_foundation:linux_kernel:6.6.3:*:*:*:*:*:*:*

External links

https://git.kernel.org/stable/c/843d366ff19708668d95cda16bb8aba109a93dba
https://git.kernel.org/stable/c/f364cdeb38938f9d03061682b8ff3779dd1730e5
https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.2
https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.13
https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.84

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.