CVE-2024-41090
- ULN >
- Oracle Linux CVE repository >
- CVE-2024-41090
CVE Details
| Release Date: | 2024-07-24 |
Description
In the Linux kernel, the following vulnerability has been resolved: tap: add missing verification for short frame The cited commit missed to check against the validity of the frame length in the tap_get_user_xdp() path, which could cause a corrupted skb to be sent downstack. Even before the skb is transmitted, the tap_get_user_xdp()-->skb_set_network_header() may assume the size is more than ETH_HLEN. Once transmitted, this could either cause out-of-bound access beyond the actual length, or confuse the underlayer with incorrect or inconsistent header length in the skb metadata. In the alternative path, tap_get_user() already prohibits short frame which has the length less than Ethernet header size from being transmitted. This is to drop any frame shorter than the Ethernet header size just like how tap_get_user() does. CVE: CVE-2024-41090
See more information about CVE-2024-41090 from MITRE CVE dictionary and NIST NVD
CVSS Scoring
NOTE: The following CVSS v3.1 metrics and score provided are preliminary and subject to review.
| Base Score: | 7.1 | CVSS Vector: | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H |
| Attack Vector: | Local network | Attack Complexity: | Low |
| Privileges Required: | None | User Interaction: | None |
| Scope: | Changed | Confidentiality Impact: | None |
| Integrity Impact: | None | Availability Impact: | High |
Errata information
| Platform | Errata | Release Date |
| Oracle Linux version 6 (kernel-uek) | ELSA-2024-12549 | 2024-07-23 |
| Oracle Linux version 6 (kernel-uek) | ELSA-2024-12570 | 2024-08-05 |
| Oracle Linux version 7 (kernel-uek) | ELSA-2024-12547 | 2024-07-23 |
| Oracle Linux version 7 (kernel-uek) | ELSA-2024-12548 | 2024-07-23 |
| Oracle Linux version 7 (kernel-uek) | ELSA-2024-12549 | 2024-07-23 |
| Oracle Linux version 7 (kernel-uek) | ELSA-2024-12571 | 2024-08-05 |
| Oracle Linux version 7 (kernel-uek) | ELSA-2024-12581 | 2024-08-12 |
| Oracle Linux version 7 (kernel-uek) | ELSA-2024-12583 | 2024-08-12 |
| Oracle Linux version 7 (kernel-uek) | ELSA-2024-12780 | 2024-10-11 |
| Oracle Linux version 7 (kernel-uek) | ELSA-2024-12782 | 2024-10-14 |
| Oracle Linux version 7 (kernel-uek-container) | ELSA-2024-12551 | 2024-07-23 |
| Oracle Linux version 7 (kernel-uek-container) | ELSA-2024-12585 | 2024-08-12 |
| Oracle Linux version 8 (kernel) | ELSA-2024-7000 | 2024-09-24 |
| Oracle Linux version 8 (kernel-uek) | ELSA-2024-12546 | 2024-07-23 |
| Oracle Linux version 8 (kernel-uek) | ELSA-2024-12547 | 2024-07-23 |
| Oracle Linux version 8 (kernel-uek) | ELSA-2024-12581 | 2024-08-12 |
| Oracle Linux version 8 (kernel-uek) | ELSA-2024-12582 | 2024-08-12 |
| Oracle Linux version 8 (kernel-uek) | ELSA-2024-12780 | 2024-10-11 |
| Oracle Linux version 8 (kernel-uek) | ELSA-2024-12782 | 2024-10-14 |
| Oracle Linux version 8 (kernel-uek) | ELSA-2024-12815 | 2024-11-11 |
| Oracle Linux version 8 (kernel-uek-container) | ELSA-2024-12552 | 2024-07-23 |
| Oracle Linux version 8 (kernel-uek-container) | ELSA-2024-12584 | 2024-08-12 |
| Oracle Linux version 9 (kernel) | ELSA-2024-5928 | 2024-08-28 |
| Oracle Linux version 9 (kernel-uek) | ELSA-2024-12546 | 2024-07-23 |
| Oracle Linux version 9 (kernel-uek) | ELSA-2024-12582 | 2024-08-12 |
| Oracle Linux version 9 (kernel-uek) | ELSA-2024-12815 | 2024-11-11 |
| Oracle VM version 3 (kernel-uek) | OVMSA-2024-0009 | 2024-07-24 |
| Oracle VM version 3 (kernel-uek) | OVMSA-2024-0010 | 2024-08-07 |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections:
- Oracle customers - enter a support request
- Vulnerability scanning tools vendors and project maintainers - follow the standard ISV process
