PT-2024-8507 · Linux+5 · Linux Kernel+5

Published

2024-04-18

·

Updated

2025-11-19

·

CVE-2024-35849

CVSS v3.1

7.1

High

VectorAV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)
Description The vulnerability is related to an information leak in the btrfs ioctl logical to ino() function. This issue occurs because the function copies a 'struct btrfs data container' back to user-space, and this container is allocated via kvmalloc(), which does not zero-fill the memory. As a result, uninitialized memory may be exposed to userspace, potentially revealing sensitive information. The issue can be fixed by using kvzalloc() instead, which zeroes out the memory on allocation.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Use of Uninitialized Resource

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-908CWE-200

Related Identifiers

AZL-42118
BDU:2024-10067
CVE-2024-35849
DLA-3840-1
DLA-3842-1
MGASA-2024-0263
MGASA-2024-0266
OESA-2024-1648
OESA-2024-1649
OESA-2024-1650
OESA-2024-1651
OESA-2024-1678
OESA-2024-1679
SUSE-SU-2024:1979-1
SUSE-SU-2024:1983-1
SUSE-SU-2024:2008-1
SUSE-SU-2024:2019-1
SUSE-SU-2024:2135-1
SUSE-SU-2024:2184-1
SUSE-SU-2024:2190-1
SUSE-SU-2024:2203-1
SUSE-SU-2024:2973-1
SUSE-SU-2025:20008-1
SUSE-SU-2025:20028-1
SUSE-SU-2025:20166-1
SUSE-SU-2025:20249-1
USN-6896-1
USN-6896-2
USN-6896-3
USN-6896-4
USN-6896-5
USN-6898-1
USN-6898-2
USN-6898-3
USN-6898-4
USN-6917-1
USN-6919-1
USN-6927-1
USN-6949-1
USN-6949-2
USN-6952-1
USN-6952-2
USN-6955-1
USN-7019-1
USN-7796-1
USN-7796-2
USN-7796-3
USN-7796-4
USN-7797-1
USN-7797-2
USN-7797-3
USN-7854-1
USN-7865-1
USN-7875-1

Affected Products

Astra Linux
Linuxmint
Linux Kernel
Red Os
Suse
Ubuntu