CVE-2024-52332
Published: 11 January 2025
Description
In the Linux kernel, the following vulnerability has been resolved: igb: Fix potential invalid memory access in igb_init_module() The pci_register_driver() can fail and when this happened, the dca_notifier needs to be unregistered, otherwise the dca_notifier can be called when igb fails to install, resulting to invalid memory access.
Security Summary
CVE-2024-52332 is a vulnerability in the Linux kernel's igb driver, specifically within the igb_init_module() function. It arises when pci_register_driver() fails during module initialization, but the dca_notifier is not unregistered. This can lead to the notifier being called after the igb module fails to install, resulting in invalid memory access classified as CWE-125 (Out-of-bounds Read). The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H), indicating high severity due to potential confidentiality and availability impacts.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity and no user interaction required. Exploitation occurs in a local attack vector (AV:L) with unchanged scope (S:U), potentially allowing the attacker to trigger invalid memory access. This could result in high confidentiality impact, such as information disclosure through out-of-bounds reads, and high availability impact, such as denial of service via system crashes or instability.
Mitigation involves applying the upstream kernel patches referenced in the stable repository commits, including 0566f83d206c7a864abcd741fe39d6e0ae5eef29, 4458046617dfadc351162dbaea1945c57eebdf36, 4fe517643f529e805bb6b890a4331c100e8f2484, 8009cdcc493fa30d4572016daf2d6999da4d6c54, and 992fd34122de377b45cb75b64fc7f17fc1e6ed2f. Security practitioners should update affected Linux kernel versions to incorporate these fixes, particularly on systems using the igb driver for Intel Gigabit Ethernet hardware.
Details
- CWE(s)