<p>Upgrade <code>SLES:15.6</code> <code>dlm-kmp-default</code> to version 6.4.0-150600.23.7.3 or higher.</p>

CVE-2024-26988 Affecting dlm-kmp-default package, versions <6.4.0-150600.23.7.3

Threat Intelligence

0.04% (11^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-SLES156-DLMKMPDEFAULT-7714033
published 20 Aug 2024
disclosed 25 Jun 2024

Report a new vulnerability Found a mistake?

Introduced: 25 Jun 2024

CVE-2024-26988 Open this link in a new tab

How to fix?

Upgrade SLES:15.6 dlm-kmp-default to version 6.4.0-150600.23.7.3 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream dlm-kmp-default package and not the dlm-kmp-default package as distributed by SLES. See How to fix? for SLES:15.6 relevant fixed versions and status.

In the Linux kernel, the following vulnerability has been resolved:

init/main.c: Fix potential static_command_line memory overflow

We allocate memory of size 'xlen + strlen(boot_command_line) + 1' for static_command_line, but the strings copied into static_command_line are extra_command_line and command_line, rather than extra_command_line and boot_command_line.

When strlen(command_line) > strlen(boot_command_line), static_command_line will overflow.

This patch just recovers strlen(command_line) which was miss-consolidated with strlen(boot_command_line) in the commit f5c7310ac73e ("init/main: add checks for the return value of memblock_alloc*()")

References

CVSS Scores

version 3.1

Attack Vector (AV)

Local
Attack Complexity (AC)

High
Privileges Required (PR)

Low
User Interaction (UI)

None

Scope (S)

Unchanged

Confidentiality (C)

None
Integrity (I)

High
Availability (A)

High

CVE-2024-26988 Affecting dlm-kmp-default package, versions <6.4.0-150600.23.7.3

Severity

Based on SUSE Linux Enterprise Server security rating