CVE-2024-46754

In the Linux kernel, the following vulnerability has been resolved: bpf: Remove tst_run from lwt_seg6local_prog_ops. The syzbot reported that the lwt_seg6 related BPF ops can be invoked via bpf_test_run() without without entering input_action_end_bpf() first. Martin KaFai Lau said that self test for BPF_PROG_TYPE_LWT_SEG6LOCAL probably didn't work since it was introduced in commit 04d4b274e2a ("ipv6: sr: Add seg6local action End.BPF"). The reason is that the per-CPU variable seg6_bpf_srh_states::srh is never assigned in the self test case but each BPF function expects it. Remove test_run for BPF_PROG_TYPE_LWT_SEG6LOCAL.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/9cd15511de7c619bbd0f54bb3f28e6e720ded5d6	Patch
https://git.kernel.org/stable/c/c13fda93aca118b8e5cd202e339046728ee7dddb	Patch

Configurations

Configuration 1 (hide)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-09-18 08:15

Updated : 2025-10-08 17:07

NVD link : CVE-2024-46754

Mitre link : CVE-2024-46754

CVE.ORG link : CVE-2024-46754

JSON object : View

Products Affected

linux

linux_kernel

CWE

NVD-CWE-noinfo

{"id": "CVE-2024-46754", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-09-18T08:15:04.153", "references": [{"url": "https://git.kernel.org/stable/c/9cd15511de7c619bbd0f54bb3f28e6e720ded5d6", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c13fda93aca118b8e5cd202e339046728ee7dddb", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Remove tst_run from lwt_seg6local_prog_ops.\n\nThe syzbot reported that the lwt_seg6 related BPF ops can be invoked\nvia bpf_test_run() without without entering input_action_end_bpf()\nfirst.\n\nMartin KaFai Lau said that self test for BPF_PROG_TYPE_LWT_SEG6LOCAL\nprobably didn't work since it was introduced in commit 04d4b274e2a\n(\"ipv6: sr: Add seg6local action End.BPF\"). The reason is that the\nper-CPU variable seg6_bpf_srh_states::srh is never assigned in the self\ntest case but each BPF function expects it.\n\nRemove test_run for BPF_PROG_TYPE_LWT_SEG6LOCAL."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: eliminar tst_run de lwt_seg6local_prog_ops. El syzbot inform\u00f3 que las operaciones BPF relacionadas con lwt_seg6 se pueden invocar mediante bpf_test_run() sin ingresar primero input_action_end_bpf(). Martin KaFai Lau dijo que la autoprueba para BPF_PROG_TYPE_LWT_SEG6LOCAL probablemente no funcion\u00f3 ya que se introdujo en el commit 04d4b274e2a (\"ipv6: sr: Agregar acci\u00f3n seg6local End.BPF\"). La raz\u00f3n es que la variable por CPU seg6_bpf_srh_states::srh nunca se asigna en el caso de la autoprueba, pero cada funci\u00f3n BPF lo espera. Eliminar test_run para BPF_PROG_TYPE_LWT_SEG6LOCAL."}], "lastModified": "2025-10-08T17:07:45.747", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1A5E25C4-1AB9-41C9-88CF-A493EE371276", "versionEndExcluding": "6.10.10", "versionStartIncluding": "4.18"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}