PT-2024-10447 · Linux+6 · Linux Kernel+6

Published

2024-07-29

·

Updated

2026-03-14

·

CVE-2024-42098

CVSS v3.1

5.5

Medium

VectorAV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)
Description The issue is related to the crypto component of the Linux kernel, specifically with the ecdh (Elliptic Curve Diffie-Hellman) key exchange. The problem arises when the caller provides a key or a newly generated key that is shorter than the previous key, potentially leaving some key material from the previous key not overwritten. The solution is to explicitly zeroize the entire private key array first. This patch changes the behavior of the function, ensuring that the private key is always zeroized, even if the ecc gen privkey fails or if params.key is set and ecc is key valid fails.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

BDU:2025-00987
CVE-2024-42098
DLA-4008-1
OESA-2024-1992
OESA-2024-1994
OESA-2024-1995
OESA-2025-1078
OPENSUSE-SU-2024_3190-1
OPENSUSE-SU-2024_3209-1
OPENSUSE-SU-2024_3483-1
SUSE-SU-2024:3190-1
SUSE-SU-2024:3194-1
SUSE-SU-2024:3195-1
SUSE-SU-2024:3209-1
SUSE-SU-2024:3383-1
SUSE-SU-2024:3483-1
SUSE-SU-2024:4367-1
SUSE-SU-2025:0035-1
SUSE-SU-2025:1027-1
SUSE-SU-2025:1183-1
SUSE-SU-2025:20044-1
SUSE-SU-2025:20047-1
SUSE-SU-2025_1027-1
USN-7007-1
USN-7007-2
USN-7007-3
USN-7009-1
USN-7009-2
USN-7019-1
USN-7089-1
USN-7089-2
USN-7089-3
USN-7089-4
USN-7089-5
USN-7089-6
USN-7089-7
USN-7090-1
USN-7095-1
USN-7156-1

Affected Products

Astra Linux
Debian
Linuxmint
Linux Kernel
Red Os
Suse
Ubuntu