CVE-2024-43873

Description

In the Linux kernel, the following vulnerability has been resolved: vhost/vsock: always initialize seqpacket_allow There are two issues around seqpacket_allow: 1. seqpacket_allow is not initialized when socket is created. Thus if features are never set, it will be read uninitialized. 2. if VIRTIO_VSOCK_F_SEQPACKET is set and then cleared, then seqpacket_allow will not be cleared appropriately (existing apps I know about don't usually do this but it's legal and there's no way to be sure no one relies on this). To fix: - initialize seqpacket_allow after allocation - set it unconditionally in set_features

CVSS v3.1 Score

7.8

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Weakness Type (CWE)

CWE-909 CWE-909

Affected Products

Vendor	Product	Versions
linux	linux_kernel	5.14 — 5.15.165
linux	linux_kernel	5.16 — 6.1.103
linux	linux_kernel	6.2 — 6.6.44
linux	linux_kernel	6.7 — 6.10.3

References

Advisories & Patches

https://git.kernel.org/stable/c/1e1fdcbdde3b7663e5d8faeb2245b9b151417d22 https://git.kernel.org/stable/c/3062cb100787a9ddf45de30004b962035cd497fb https://git.kernel.org/stable/c/30bd4593669443ac58515e23557dc8cef70d8582 https://git.kernel.org/stable/c/ea558f10fb05a6503c6e655a1b7d81fdf8e5924c https://git.kernel.org/stable/c/eab96e8716cbfc2834b54f71cc9501ad4eec963b

Other References

https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html

Frequently Asked Questions

What is CVE-2024-43873? +

In the Linux kernel, the following vulnerability has been resolved: vhost/vsock: always initialize seqpacket_allow There are two issues around seqpacket_allow: 1. seqpacket_allow is not initialized when socket is created. Thus if features are never set, it will be read uninitialized. 2. if VIRTIO_VSOCK_F_SEQPACKET is set and then cleared, then seqpacket_allow will not be cleared appropriately (existing apps I know about don't usually do this but it's legal and there's no way to be sure no one relies on this). To fix: - initialize seqpacket_allow after allocation - set it unconditionally in set_features It has a CVSS v3.1 base score of 7.8 (HIGH).

How severe is CVE-2024-43873? +

CVE-2024-43873 has a CVSS v3.1 score of 7.8 out of 10, rated HIGH. This is a high-severity vulnerability that should be prioritized for patching.

What products are affected by CVE-2024-43873? +

CVE-2024-43873 affects products from linux, specifically: linux_kernel. Check the affected products table above for specific version ranges.

How do I check if I'm vulnerable to CVE-2024-43873? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2024-53845

ESPTouch is a connection protocol for internet of things devices. In the ESPTouchV2 protocol, while there is an option to …

CVE-2024-8178 8.8

The ctl_write_buffer and ctl_read_buffer functions allocated memory to be returned to userspace, without initializing it. Malicious software running in a …

CVE-2024-9780 7.8

ITS dissector crash in Wireshark 4.4.0 allows denial of service via packet injection or crafted capture file

CVE-2025-8117 7.5

PAD CMS improperly initializes parameter used for password recovery, which allows to change password for any user that did not …

CVE-2026-43040 7.1

In the Linux kernel, the following vulnerability has been resolved: net: ipv6: ndisc: fix ndisc_ra_useropt to initialize nduseropt_padX fields to …

CVE-2024-52870 7.1

Teradata Vantage Editor 1.0.1 is mostly intended for SQL database access and docs.teradata.com access, but provides unintended functionality (including Chromium …