PT-2024-29835 · Linux+6 · Linux Kernel+6
Published
2024-07-10
·
Updated
2025-09-29
·
CVE-2024-42286
CVSS v3.1
5.5
Medium
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Linux kernel versions prior to 6.6.50
Description
The vulnerability is related to the scsi: qla2xxx component in the Linux kernel, where the driver load fails with an error message and a kernel crash occurs due to a NULL pointer dereference. The issue arises when the
qla nvme register remote() function fails to validate the nvme local port correctly, leading to a crash. The vulnerability can be exploited to cause a denial of service.Recommendations
To resolve the issue, update the Linux kernel to version 6.6.50 or later. As a temporary workaround, consider disabling the
qla nvme register remote() function until a patch is available. Restrict access to the vulnerable qla2xxx module to minimize the risk of exploitation. Avoid using the nvme local port parameter in the affected API endpoint until the issue is resolved.Exploit
Fix
NULL Pointer Dereference
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Astra Linux
Linuxmint
Linux Kernel
Red Os
Suse
Ubuntu