CVE-2024-58000

In the Linux kernel, the following vulnerability has been resolved: io_uring: prevent reg-wait speculations With *ENTER_EXT_ARG_REG instead of passing a user pointer with arguments for the waiting loop the user can specify an offset into a pre-mapped region of memory, in which case the [offset, offset + sizeof(io_uring_reg_wait)) will be intepreted as the argument. As we address a kernel array using a user given index, it'd be a subject to speculation type of exploits. Use array_index_nospec() to prevent that. Make sure to pass not the full region size but truncate by the maximum offset allowed considering the structure size.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/29b95ac917927ce9f95bf38797e16333ecb489b1	Patch
https://git.kernel.org/stable/c/2a6de94df7bfa76d9850443547e7b3333f63a16a	Patch

Configurations

Configuration 1 (hide)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-02-27 02:15

Updated : 2025-10-23 17:48

NVD link : CVE-2024-58000

Mitre link : CVE-2024-58000

CVE.ORG link : CVE-2024-58000

JSON object : View

Products Affected

linux

linux_kernel

CWE

NVD-CWE-noinfo

{"id": "CVE-2024-58000", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-02-27T02:15:14.033", "references": [{"url": "https://git.kernel.org/stable/c/29b95ac917927ce9f95bf38797e16333ecb489b1", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2a6de94df7bfa76d9850443547e7b3333f63a16a", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: prevent reg-wait speculations\n\nWith *ENTER_EXT_ARG_REG instead of passing a user pointer with arguments\nfor the waiting loop the user can specify an offset into a pre-mapped\nregion of memory, in which case the\n[offset, offset + sizeof(io_uring_reg_wait)) will be intepreted as the\nargument.\n\nAs we address a kernel array using a user given index, it'd be a subject\nto speculation type of exploits. Use array_index_nospec() to prevent\nthat. Make sure to pass not the full region size but truncate by the\nmaximum offset allowed considering the structure size."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: io_uring: evitar especulaciones de reg-wait Con *ENTER_EXT_ARG_REG en lugar de pasar un puntero de usuario con argumentos para el bucle de espera, el usuario puede especificar un desplazamiento en una regi\u00f3n de memoria preasignada, en cuyo caso [offset, offset + sizeof(io_uring_reg_wait)) se interpretar\u00e1 como el argumento. Como direccionamos una matriz del kernel usando un \u00edndice dado por el usuario, ser\u00eda un tema de tipo especulativo de exploits. Use array_index_nospec() para evitar eso. Aseg\u00farese de no pasar el tama\u00f1o completo de la regi\u00f3n, sino truncarlo por el desplazamiento m\u00e1ximo permitido considerando el tama\u00f1o de la estructura."}], "lastModified": "2025-10-23T17:48:41.140", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6D4116B1-1BFD-4F23-BA84-169CC05FC5A3", "versionEndExcluding": "6.13.2", "versionStartIncluding": "6.13"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}