CVE-2024-47742

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.58

Description The issue is related to the firmware loader in the Linux kernel, where certain code paths construct firmware file names from string components passed through from devices or semi-privileged userspace. This could potentially allow for path traversal attacks. The affected code paths include lpfc sli4 request firmware update(), nfp net fw find(), and module flash fw schedule(). The vulnerability is fixed by rejecting any firmware names containing ".." path components.

Recommendations For Linux kernel versions prior to 6.6.58, update to version 6.6.58 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable code paths, such as lpfc sli4 request firmware update(), nfp net fw find(), and module flash fw schedule(), until a patch is available. Additionally, avoid using the ETHTOOL MSG MODULE FW FLASH ACT netlink command with userspace-provided firmware names until the issue is resolved.