1. Home
  2. Vulnerabilities
  3. CVE-2024-36016

CVE-2024-36016

CVSS v3.1 7.7 (High)
77% Progress
EPSS 0.04 % (14th)
0.04% Progress
Advisories 37
NVD Status Awaiting Analysis
Info CVSS EPSS CAPEC References Security Advisories Packages & Software Tools, Exploits & PoC Graph Web & Social Timeline

In the Linux kernel, the following vulnerability has been resolved:

tty: n_gsm: fix possible out-of-bounds in gsm0_receive()

Assuming the following:
- side A configures the n_gsm in basic option mode
- side B sends the header of a basic option mode frame with data length 1
- side A switches to advanced option mode
- side B sends 2 data bytes which exceeds gsm->len
Reason: gsm->len is not used in advanced option mode.
- side A switches to basic option mode
- side B keeps sending until gsm0_receive() writes past gsm->buf
Reason: Neither gsm->state nor gsm->len have been reset after
reconfiguration.

Fix this by changing gsm->count to gsm->len comparison from equal to less
than. Also add upper limit checks against the constant MAX_MRU in
gsm0_receive() and gsm1_receive() to harden against memory corruption of
gsm->len and gsm->mru.

All other checks remain as we still need to limit the data according to the
user configuration and actual payload size.

Weaknesses
CWE-125
Out-of-bounds Read
CVE Status
PUBLISHED
NVD Status
Awaiting Analysis
CNA
kernel.org
Published Date
2024-05-29 19:15:48
(3 months ago)
Updated Date
2024-07-15 07:15:04
(2 months ago)