CVE-2024-36953

2024-05-3016:15:18

Debian Security Bug Tracker

security-tracker.debian.org

linux kernel

resolved vulnerability

cve-2024-36953

AI Score

6.6

Confidence

Low

EPSS

Percentile

10.3%

JSON

In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-v2: Check for non-NULL vCPU in vgic_v2_parse_attr() vgic_v2_parse_attr() is responsible for finding the vCPU that matches the user-provided CPUID, which (of course) may not be valid. If the ID is invalid, kvm_get_vcpu_by_id() returns NULL, which isn’t handled gracefully. Similar to the GICv3 uaccess flow, check that kvm_get_vcpu_by_id() actually returns something and fail the ioctl if not.

OSVersionArchitecturePackageVersionFilename
Debian12alllinux< 6.1.94-1linux_6.1.94-1_all.deb
Debian11alllinux< 5.10.218-1linux_5.10.218-1_all.deb
Debian999alllinux< 6.8.11-1linux_6.8.11-1_all.deb
Debian13alllinux< 6.8.11-1linux_6.8.11-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	linux	< 6.1.94-1	linux_6.1.94-1_all.deb
Debian	11	all	linux	< 5.10.218-1	linux_5.10.218-1_all.deb
Debian	999	all	linux	< 6.8.11-1	linux_6.8.11-1_all.deb
Debian	13	all	linux	< 6.8.11-1	linux_6.8.11-1_all.deb