CVE-2024-42106

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.43

Description The vulnerability is related to the inet diag component of the Linux kernel, which is used for socket diagnostics. The issue occurs due to the use of an uninitialized resource, specifically the pad field in the struct inet diag req v2. This field is used for the underlying protocol in raw sockets and corresponds to the sdiag raw protocol field in struct inet diag req raw. When the raw lookup() function accesses the sdiag raw protocol field, it may cause an uninit-value access, leading to a potential denial-of-service. The vulnerability can be exploited by an attacker to cause a crash or potentially execute arbitrary code.

Recommendations To resolve the issue, update the Linux kernel to version 6.6.43 or later. This update includes the necessary fixes to initialize the pad field in the struct inet diag req v2, preventing the uninit-value access and potential denial-of-service. Additionally, ensure that any dependent packages, such as kmod-virtualbox and kmod-xtables-addons, are also updated to be compatible with the new kernel version.