CVE-2024-50142
Description
In the Linux kernel, the following vulnerability has been resolved: xfrm: validate new SA's prefixlen using SA family when sel.family is unset This expands the validation introduced in commit 07bf7908950a ("xfrm: Validate address prefix lengths in the xfrm selector.") syzbot created an SA with usersa.sel.family = AF_UNSPEC usersa.sel.prefixlen_s = 128 usersa.family = AF_INET Because of the AF_UNSPEC selector, verify_newsa_info doesn't put limits on prefixlen_{s,d}. But then copy_from_user_state sets x->sel.family to usersa.family (AF_INET). Do the same conversion in verify_newsa_info before validating prefixlen_{s,d}, since that's how prefixlen is going to be used later on.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| rhel | 9 | fixed | |
| rocky | 8 | fixed | |
| sles | affected | | |
| debian | bookworm | fixed | 6.1.115-1 |
| debian | bullseye | fixed | 5.10.234-1 |
| debian | forky | fixed | 6.11.6-1 |
| debian | sid | fixed | 6.11.6-1 |
| debian | trixie | fixed | 6.11.6-1 |
| linux-kernel | affected | 4.19.323 | |
| linux-kernel | 6.12 | affected | |
| almalinux | 8 | fixed | kernel-rt-core-4.18.0-553.32.1.rt7.373.el8_10.x86_64.rpm |
| almalinux | 9 | fixed | rv-5.14.0-503.19.1.el9_5.aarch64.rpm |
References
- https://access.redhat.com/errata/RHSA-2024:11486
- https://git.kernel.org/stable/c/2d08a6c31c65f23db71a5385ee9cf9d8f9a67a71
- https://git.kernel.org/stable/c/3f0ab59e6537c6a8f9e1b355b48f9c05a76e8563
- https://git.kernel.org/stable/c/401ad99a5ae7180dd9449eac104cb755f442e7f3
- https://git.kernel.org/stable/c/7d9868180bd1e4cf37e7c5067362658971162366
- https://git.kernel.org/stable/c/8df5cd51fd70c33aa1776e5cbcd82b0a86649d73
- https://git.kernel.org/stable/c/bce1afaa212ec380bf971614f70909a27882b862
- https://git.kernel.org/stable/c/e68dd80ba498265d2266b12dc3459164f4ff0c4a
- https://git.kernel.org/stable/c/f31398570acf0f0804c644006f7bfa9067106b0a
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
- https://cert-portal.siemens.com/productcert/html/ssa-265688.html
- https://errata.rockylinux.org/RLSA-2024:10944
- https://errata.rockylinux.org/RLSA-2024:10943
- https://www.suse.com/security/cve/CVE-2024-50142.html
- https://security-tracker.debian.org/tracker/CVE-2024-50142
- https://access.redhat.com/errata/RHSA-2024:10943
- https://bugzilla.redhat.com/2312083
- https://bugzilla.redhat.com/2320505
- https://bugzilla.redhat.com/2322308
- https://bugzilla.redhat.com/2323904
- https://bugzilla.redhat.com/2323930
- https://bugzilla.redhat.com/2324315
- https://bugzilla.redhat.com/2324612
- https://bugzilla.redhat.com/2324889
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.