CVE-2024-42283

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.50

Description The issue is related to the Linux kernel's net component, specifically with the initialization of fields in dumped nexthops. The struct nexthop grp contains two reserved fields that are not initialized by nla put nh group(), resulting in kernel memory leaks. These fields are not currently used but may complicate repurposing for new ends if not initialized properly. The leak can be observed using strace with commands like ip nexthop add and strace -e recvmsg ip nexthop get. The vulnerability may allow an attacker to cause a denial of service.

Recommendations To resolve the issue, update the Linux kernel to version 6.6.50 or later. As a temporary workaround, consider restricting access to the net component or the nexthop functionality until a patch is available. Avoid using the recvmsg function with the ip nexthop get command until the issue is resolved.