CVE-2024-39499

CVE Details

Release Date:

2024-07-12

Description

In the Linux kernel, the following vulnerability has been resolved:\nvmci: prevent speculation leaks by sanitizing event in event_deliver()\nCoverity spotted that event_msg is controlled by user-space,\nevent_msg->event_data.event is passed to event_deliver() and used\nas an index without sanitization.\nThis change ensures that the event index is sanitized to mitigate any\npossibility of speculative information leaks.\nThis bug was discovered and resolved using Coverity Static Analysis\nSecurity Testing (SAST) by Synopsys, Inc.\nOnly compile tested, no access to HW.

See more information about CVE-2024-39499 from MITRE CVE dictionary and NIST NVD

NOTE: The following CVSS metrics and score provided are preliminary and subject to review.

CVSS v3 metrics

Base Score:	4.1
Vector String:	CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
Version:	3.1
Attack Vector:	Local
Attack Complexity:	High
Privileges Required:	High
User Interaction:	None
Scope:	Unchanged
Confidentiality:	High
Integrity:	None
Availability:	None

Errata information

Platform	Errata	Release Date
Oracle Linux version 6 (kernel-uek)	ELSA-2024-12851	2024-11-27
Oracle Linux version 7 (kernel-uek)	ELSA-2024-12610	2024-09-10
Oracle Linux version 7 (kernel-uek)	ELSA-2024-12779	2024-10-11
Oracle Linux version 7 (kernel-uek)	ELSA-2024-12851	2024-11-27
Oracle Linux version 7 (kernel-uek-container)	ELSA-2024-12612	2024-09-11
Oracle Linux version 8 (kernel)	ELSA-2024-7000	2024-09-24
Oracle Linux version 8 (kernel-uek)	ELSA-2024-12610	2024-09-10
Oracle Linux version 8 (kernel-uek)	ELSA-2024-12618	2024-09-12
Oracle Linux version 8 (kernel-uek-container)	ELSA-2024-12612	2024-09-11
Oracle Linux version 9 (kernel)	ELSA-2024-9315	2024-11-14
Oracle Linux version 9 (kernel-uek)	ELSA-2024-12618	2024-09-12
Oracle VM version 3 (kernel-uek)	OVMSA-2024-0016	2024-12-03