PT-2025-2975 · Linux+10 · Linux Kernel+10
Published
2025-01-11
·
Updated
2025-11-12
·
CVE-2024-53680
CVSS v3.1
5.5
Medium
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Linux kernel (affected versions not specified)
Description
The issue is related to an undefined behavior problem in the
ip vs protocol init() function. This function uses a on-stack buffer of 64 chars to store registered protocol names and leaves it uninitialized after definition. The function calls strnlen() when concatenating protocol names into the buffer. With CONFIG FORTIFY SOURCE, strnlen() performs an extra step to check whether the last byte of the input char buffer is a null character. This causes the compiler to generate code that may fall through to the next function, resulting in an oops when trying to load the ipvs module or a boot-time panic if ipvs is built-in.Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
Use of Uninitialized Resource
Access of Uninitialized Pointer
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Almalinux
Astra Linux
Debian
Linuxmint
Linux Kernel
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu