CVE-2024-53142 (GCVE-0-2024-53142)

Vulnerability from cvelistv5 – Published: 2024-12-06 09:37 – Updated: 2026-05-11 20:51
VLAI
Title
initramfs: avoid filename buffer overrun
Summary
In the Linux kernel, the following vulnerability has been resolved: initramfs: avoid filename buffer overrun The initramfs filename field is defined in Documentation/driver-api/early-userspace/buffer-format.rst as: 37 cpio_file := ALGN(4) + cpio_header + filename + "\0" + ALGN(4) + data ... 55 ============= ================== ========================= 56 Field name Field size Meaning 57 ============= ================== ========================= ... 70 c_namesize 8 bytes Length of filename, including final \0 When extracting an initramfs cpio archive, the kernel's do_name() path handler assumes a zero-terminated path at @collected, passing it directly to filp_open() / init_mkdir() / init_mknod(). If a specially crafted cpio entry carries a non-zero-terminated filename and is followed by uninitialized memory, then a file may be created with trailing characters that represent the uninitialized memory. The ability to create an initramfs entry would imply already having full control of the system, so the buffer overrun shouldn't be considered a security vulnerability. Append the output of the following bash script to an existing initramfs and observe any created /initramfs_test_fname_overrunAA* path. E.g. ./reproducer.sh | gzip >> /myinitramfs It's easiest to observe non-zero uninitialized memory when the output is gzipped, as it'll overflow the heap allocated @out_buf in __gunzip(), rather than the initrd_start+initrd_size block. ---- reproducer.sh ---- nilchar="A" # change to "\0" to properly zero terminate / pad magic="070701" ino=1 mode=$(( 0100777 )) uid=0 gid=0 nlink=1 mtime=1 filesize=0 devmajor=0 devminor=1 rdevmajor=0 rdevminor=0 csum=0 fname="initramfs_test_fname_overrun" namelen=$(( ${#fname} + 1 )) # plus one to account for terminator printf "%s%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%s" \ $magic $ino $mode $uid $gid $nlink $mtime $filesize \ $devmajor $devminor $rdevmajor $rdevminor $namelen $csum $fname termpadlen=$(( 1 + ((4 - ((110 + $namelen) & 3)) % 4) )) printf "%.s${nilchar}" $(seq 1 $termpadlen) ---- reproducer.sh ---- Symlink filename fields handled in do_symlink() won't overrun past the data segment, due to the explicit zero-termination of the symlink target. Fix filename buffer overrun by aborting the initramfs FSM if any cpio entry doesn't carry a zero-terminator at the expected (name_len - 1) offset.
Severity
7.8 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < bb7ac96670ab1d8d681015f9d66e45dad579af4d (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c509b1acbd867d9e09580fe059a924cb5825afb1 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d3df9f26cff97beaa5643e551031795d5d5cddbe (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6983b8ac787b3add5571cda563574932a59a99bb (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f892ddcf9f645380c358e73653cb0900f6bc9eb8 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1a423bbbeaf9e3e20c4686501efd9b661fe834db (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 49d01e736c3045319e030d1e75fb983011abaca7 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < fb83b093f75806333b6f4ae29b158d2e0e3ec971 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e017671f534dd3f568db9e47b0583e853d2da9b5 (git)
Create a notification for this product.
Linux Linux Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 4.19.325 , ≤ 4.19.* (semver)
Unaffected: 5.4.287 , ≤ 5.4.* (semver)
Unaffected: 5.10.231 , ≤ 5.10.* (semver)
Unaffected: 5.15.174 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.64 , ≤ 6.6.* (semver)
Unaffected: 6.11.11 , ≤ 6.11.* (semver)
Unaffected: 6.12.2 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:46:24.014Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "init/initramfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "bb7ac96670ab1d8d681015f9d66e45dad579af4d",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "c509b1acbd867d9e09580fe059a924cb5825afb1",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "d3df9f26cff97beaa5643e551031795d5d5cddbe",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "6983b8ac787b3add5571cda563574932a59a99bb",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "f892ddcf9f645380c358e73653cb0900f6bc9eb8",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "1a423bbbeaf9e3e20c4686501efd9b661fe834db",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "49d01e736c3045319e030d1e75fb983011abaca7",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "fb83b093f75806333b6f4ae29b158d2e0e3ec971",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "e017671f534dd3f568db9e47b0583e853d2da9b5",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "init/initramfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.325",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.287",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.325",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.287",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.64",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.11",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.2",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ninitramfs: avoid filename buffer overrun\n\nThe initramfs filename field is defined in\nDocumentation/driver-api/early-userspace/buffer-format.rst as:\n\n 37 cpio_file := ALGN(4) + cpio_header + filename + \"\\0\" + ALGN(4) + data\n...\n 55 ============= ================== =========================\n 56 Field name    Field size         Meaning\n 57 ============= ================== =========================\n...\n 70 c_namesize    8 bytes            Length of filename, including final \\0\n\nWhen extracting an initramfs cpio archive, the kernel\u0027s do_name() path\nhandler assumes a zero-terminated path at @collected, passing it\ndirectly to filp_open() / init_mkdir() / init_mknod().\n\nIf a specially crafted cpio entry carries a non-zero-terminated filename\nand is followed by uninitialized memory, then a file may be created with\ntrailing characters that represent the uninitialized memory. The ability\nto create an initramfs entry would imply already having full control of\nthe system, so the buffer overrun shouldn\u0027t be considered a security\nvulnerability.\n\nAppend the output of the following bash script to an existing initramfs\nand observe any created /initramfs_test_fname_overrunAA* path. E.g.\n  ./reproducer.sh | gzip \u003e\u003e /myinitramfs\n\nIt\u0027s easiest to observe non-zero uninitialized memory when the output is\ngzipped, as it\u0027ll overflow the heap allocated @out_buf in __gunzip(),\nrather than the initrd_start+initrd_size block.\n\n---- reproducer.sh ----\nnilchar=\"A\"\t# change to \"\\0\" to properly zero terminate / pad\nmagic=\"070701\"\nino=1\nmode=$(( 0100777 ))\nuid=0\ngid=0\nnlink=1\nmtime=1\nfilesize=0\ndevmajor=0\ndevminor=1\nrdevmajor=0\nrdevminor=0\ncsum=0\nfname=\"initramfs_test_fname_overrun\"\nnamelen=$(( ${#fname} + 1 ))\t# plus one to account for terminator\n\nprintf \"%s%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%s\" \\\n\t$magic $ino $mode $uid $gid $nlink $mtime $filesize \\\n\t$devmajor $devminor $rdevmajor $rdevminor $namelen $csum $fname\n\ntermpadlen=$(( 1 + ((4 - ((110 + $namelen) \u0026 3)) % 4) ))\nprintf \"%.s${nilchar}\" $(seq 1 $termpadlen)\n---- reproducer.sh ----\n\nSymlink filename fields handled in do_symlink() won\u0027t overrun past the\ndata segment, due to the explicit zero-termination of the symlink\ntarget.\n\nFix filename buffer overrun by aborting the initramfs FSM if any cpio\nentry doesn\u0027t carry a zero-terminator at the expected (name_len - 1)\noffset."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T20:51:40.152Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/bb7ac96670ab1d8d681015f9d66e45dad579af4d"
        },
        {
          "url": "https://git.kernel.org/stable/c/c509b1acbd867d9e09580fe059a924cb5825afb1"
        },
        {
          "url": "https://git.kernel.org/stable/c/d3df9f26cff97beaa5643e551031795d5d5cddbe"
        },
        {
          "url": "https://git.kernel.org/stable/c/6983b8ac787b3add5571cda563574932a59a99bb"
        },
        {
          "url": "https://git.kernel.org/stable/c/f892ddcf9f645380c358e73653cb0900f6bc9eb8"
        },
        {
          "url": "https://git.kernel.org/stable/c/1a423bbbeaf9e3e20c4686501efd9b661fe834db"
        },
        {
          "url": "https://git.kernel.org/stable/c/49d01e736c3045319e030d1e75fb983011abaca7"
        },
        {
          "url": "https://git.kernel.org/stable/c/fb83b093f75806333b6f4ae29b158d2e0e3ec971"
        },
        {
          "url": "https://git.kernel.org/stable/c/e017671f534dd3f568db9e47b0583e853d2da9b5"
        }
      ],
      "title": "initramfs: avoid filename buffer overrun",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-53142",
    "datePublished": "2024-12-06T09:37:03.035Z",
    "dateReserved": "2024-11-19T17:17:24.997Z",
    "dateUpdated": "2026-05-11T20:51:40.152Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-53142",
      "date": "2026-06-29",
      "epss": "0.00241",
      "percentile": "0.15058"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2.6.12\", \"versionEndExcluding\": \"4.19.325\", \"matchCriteriaId\": \"FAEB49A0-3B16-46DF-AA21-AD4136295A41\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"4.20\", \"versionEndExcluding\": \"6.6.64\", \"matchCriteriaId\": \"D42B3E7C-85DF-4DBF-A6EC-E45F69FF2DCA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"6.7\", \"versionEndExcluding\": \"6.11.11\", \"matchCriteriaId\": \"21434379-192D-472F-9B54-D45E3650E893\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"6.12\", \"versionEndExcluding\": \"6.12.2\", \"matchCriteriaId\": \"D8882B1B-2ABC-4838-AC1D-DBDBB5764776\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ninitramfs: avoid filename buffer overrun\\n\\nThe initramfs filename field is defined in\\nDocumentation/driver-api/early-userspace/buffer-format.rst as:\\n\\n 37 cpio_file := ALGN(4) + cpio_header + filename + \\\"\\\\0\\\" + ALGN(4) + data\\n...\\n 55 ============= ================== =========================\\n 56 Field name    Field size         Meaning\\n 57 ============= ================== =========================\\n...\\n 70 c_namesize    8 bytes            Length of filename, including final \\\\0\\n\\nWhen extracting an initramfs cpio archive, the kernel\u0027s do_name() path\\nhandler assumes a zero-terminated path at @collected, passing it\\ndirectly to filp_open() / init_mkdir() / init_mknod().\\n\\nIf a specially crafted cpio entry carries a non-zero-terminated filename\\nand is followed by uninitialized memory, then a file may be created with\\ntrailing characters that represent the uninitialized memory. The ability\\nto create an initramfs entry would imply already having full control of\\nthe system, so the buffer overrun shouldn\u0027t be considered a security\\nvulnerability.\\n\\nAppend the output of the following bash script to an existing initramfs\\nand observe any created /initramfs_test_fname_overrunAA* path. E.g.\\n  ./reproducer.sh | gzip \u003e\u003e /myinitramfs\\n\\nIt\u0027s easiest to observe non-zero uninitialized memory when the output is\\ngzipped, as it\u0027ll overflow the heap allocated @out_buf in __gunzip(),\\nrather than the initrd_start+initrd_size block.\\n\\n---- reproducer.sh ----\\nnilchar=\\\"A\\\"\\t# change to \\\"\\\\0\\\" to properly zero terminate / pad\\nmagic=\\\"070701\\\"\\nino=1\\nmode=$(( 0100777 ))\\nuid=0\\ngid=0\\nnlink=1\\nmtime=1\\nfilesize=0\\ndevmajor=0\\ndevminor=1\\nrdevmajor=0\\nrdevminor=0\\ncsum=0\\nfname=\\\"initramfs_test_fname_overrun\\\"\\nnamelen=$(( ${#fname} + 1 ))\\t# plus one to account for terminator\\n\\nprintf \\\"%s%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%s\\\" \\\\\\n\\t$magic $ino $mode $uid $gid $nlink $mtime $filesize \\\\\\n\\t$devmajor $devminor $rdevmajor $rdevminor $namelen $csum $fname\\n\\ntermpadlen=$(( 1 + ((4 - ((110 + $namelen) \u0026 3)) % 4) ))\\nprintf \\\"%.s${nilchar}\\\" $(seq 1 $termpadlen)\\n---- reproducer.sh ----\\n\\nSymlink filename fields handled in do_symlink() won\u0027t overrun past the\\ndata segment, due to the explicit zero-termination of the symlink\\ntarget.\\n\\nFix filename buffer overrun by aborting the initramfs FSM if any cpio\\nentry doesn\u0027t carry a zero-terminator at the expected (name_len - 1)\\noffset.\"}, {\"lang\": \"es\", \"value\": \"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: initramfs: evitar el desbordamiento del b\\u00fafer del nombre de archivo El campo de nombre de archivo de initramfs se define en Documentation/driver-api/early-userspace/buffer-format.rst como: 37 cpio_file := ALGN(4) + cpio_header + filename + \\\"\\\\0\\\" + ALGN(4) + data ... 55 ============== =================== ========================== 56 Nombre de campo Tama\\u00f1o del campo Significado 57 ============= =================== ========================== ... 70 c_namesize 8 bytes Longitud del nombre de archivo, final \\\\0 Al extraer un archivo cpio de initramfs, el manejador de ruta do_name() del n\\u00facleo asume una ruta terminada en cero en @collected, pas\\u00e1ndola directamente a filp_open() / init_mkdir() / init_mknod(). Si una entrada cpio especialmente dise\\u00f1ada lleva un nombre de archivo que no termina en cero y es seguida por memoria no inicializada, entonces se puede crear un archivo con caracteres finales que representan la memoria no inicializada. La capacidad de crear una entrada initramfs implicar\\u00eda ya tener control total del sistema, por lo que el desbordamiento del b\\u00fafer no deber\\u00eda considerarse una vulnerabilidad de seguridad. Adjunte la salida del siguiente script bash a un initramfs existente y observe cualquier ruta /initramfs_test_fname_overrunAA* creada. Por ejemplo, ./reproducer.sh | Es m\\u00e1s f\\u00e1cil observar memoria no inicializada distinta de cero cuando se comprime la salida, ya que desbordar\\u00e1 el mont\\u00f3n asignado @out_buf en __gunzip(), en lugar del bloque initrd_start+initrd_size. ---- reproducter.sh ---- nilchar=\\\"A\\\" # cambia a \\\"\\\\0\\\" para terminar correctamente en cero / rellenar magic=\\\"070701\\\" ino=1 mode=$(( 0100777 )) uid=0 gid=0 nlink=1 mtime=1 filesize=0 devmajor=0 devminor=1 rdevmajor=0 rdevminor=0 csum=0 fname=\\\"initramfs_test_fname_overrun\\\" namelen=$(( ${#fname} + 1 )) # m\\u00e1s uno para tener en cuenta el terminador printf \\\"%s%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%s\\\" \\\\ $magic $ino $mode $uid $gid $nlink $mtime $filesize \\\\ $devmajor $devminor $rdevmajor $rdevminor $namelen $csum $fname termpadlen=$(( 1 + ((4 - ((110 + $namelen) \u0026amp; 3)) % 4) )) printf \\\"%.s${nilchar}\\\" $(seq 1 $termpadlen) ---- reproducer.sh ---- Los campos de nombre de archivo de enlace simb\\u00f3lico manejados en do_symlink() no se desbordar\\u00e1n m\\u00e1s all\\u00e1 del segmento de datos, debido a la terminaci\\u00f3n expl\\u00edcita en cero del objetivo del enlace simb\\u00f3lico. Corrija el desbordamiento del b\\u00fafer de nombre de archivo abortando el FSM initramfs si alguna entrada cpio no lleva un terminador en cero en el desplazamiento esperado (name_len - 1).\"}]",
      "id": "CVE-2024-53142",
      "lastModified": "2024-12-14T21:15:38.707",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 7.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 5.9}]}",
      "published": "2024-12-06T10:15:06.203",
      "references": "[{\"url\": \"https://git.kernel.org/stable/c/1a423bbbeaf9e3e20c4686501efd9b661fe834db\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/49d01e736c3045319e030d1e75fb983011abaca7\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/6983b8ac787b3add5571cda563574932a59a99bb\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/bb7ac96670ab1d8d681015f9d66e45dad579af4d\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/c509b1acbd867d9e09580fe059a924cb5825afb1\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/d3df9f26cff97beaa5643e551031795d5d5cddbe\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/e017671f534dd3f568db9e47b0583e853d2da9b5\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/f892ddcf9f645380c358e73653cb0900f6bc9eb8\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/fb83b093f75806333b6f4ae29b158d2e0e3ec971\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}]",
      "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-787\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-53142\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-12-06T10:15:06.203\",\"lastModified\":\"2026-06-17T08:08:24.340\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ninitramfs: avoid filename buffer overrun\\n\\nThe initramfs filename field is defined in\\nDocumentation/driver-api/early-userspace/buffer-format.rst as:\\n\\n 37 cpio_file := ALGN(4) + cpio_header + filename + \\\"\\\\0\\\" + ALGN(4) + data\\n...\\n 55 ============= ================== =========================\\n 56 Field name    Field size         Meaning\\n 57 ============= ================== =========================\\n...\\n 70 c_namesize    8 bytes            Length of filename, including final \\\\0\\n\\nWhen extracting an initramfs cpio archive, the kernel\u0027s do_name() path\\nhandler assumes a zero-terminated path at @collected, passing it\\ndirectly to filp_open() / init_mkdir() / init_mknod().\\n\\nIf a specially crafted cpio entry carries a non-zero-terminated filename\\nand is followed by uninitialized memory, then a file may be created with\\ntrailing characters that represent the uninitialized memory. The ability\\nto create an initramfs entry would imply already having full control of\\nthe system, so the buffer overrun shouldn\u0027t be considered a security\\nvulnerability.\\n\\nAppend the output of the following bash script to an existing initramfs\\nand observe any created /initramfs_test_fname_overrunAA* path. E.g.\\n  ./reproducer.sh | gzip \u003e\u003e /myinitramfs\\n\\nIt\u0027s easiest to observe non-zero uninitialized memory when the output is\\ngzipped, as it\u0027ll overflow the heap allocated @out_buf in __gunzip(),\\nrather than the initrd_start+initrd_size block.\\n\\n---- reproducer.sh ----\\nnilchar=\\\"A\\\"\\t# change to \\\"\\\\0\\\" to properly zero terminate / pad\\nmagic=\\\"070701\\\"\\nino=1\\nmode=$(( 0100777 ))\\nuid=0\\ngid=0\\nnlink=1\\nmtime=1\\nfilesize=0\\ndevmajor=0\\ndevminor=1\\nrdevmajor=0\\nrdevminor=0\\ncsum=0\\nfname=\\\"initramfs_test_fname_overrun\\\"\\nnamelen=$(( ${#fname} + 1 ))\\t# plus one to account for terminator\\n\\nprintf \\\"%s%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%s\\\" \\\\\\n\\t$magic $ino $mode $uid $gid $nlink $mtime $filesize \\\\\\n\\t$devmajor $devminor $rdevmajor $rdevminor $namelen $csum $fname\\n\\ntermpadlen=$(( 1 + ((4 - ((110 + $namelen) \u0026 3)) % 4) ))\\nprintf \\\"%.s${nilchar}\\\" $(seq 1 $termpadlen)\\n---- reproducer.sh ----\\n\\nSymlink filename fields handled in do_symlink() won\u0027t overrun past the\\ndata segment, due to the explicit zero-termination of the symlink\\ntarget.\\n\\nFix filename buffer overrun by aborting the initramfs FSM if any cpio\\nentry doesn\u0027t carry a zero-terminator at the expected (name_len - 1)\\noffset.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: initramfs: evitar el desbordamiento del b\u00fafer del nombre de archivo El campo de nombre de archivo de initramfs se define en Documentation/driver-api/early-userspace/buffer-format.rst como: 37 cpio_file := ALGN(4) + cpio_header + filename + \\\"\\\\0\\\" + ALGN(4) + data ... 55 ============== =================== ========================== 56 Nombre de campo Tama\u00f1o del campo Significado 57 ============= =================== ========================== ... 70 c_namesize 8 bytes Longitud del nombre de archivo, final \\\\0 Al extraer un archivo cpio de initramfs, el manejador de ruta do_name() del n\u00facleo asume una ruta terminada en cero en @collected, pas\u00e1ndola directamente a filp_open() / init_mkdir() / init_mknod(). Si una entrada cpio especialmente dise\u00f1ada lleva un nombre de archivo que no termina en cero y es seguida por memoria no inicializada, entonces se puede crear un archivo con caracteres finales que representan la memoria no inicializada. La capacidad de crear una entrada initramfs implicar\u00eda ya tener control total del sistema, por lo que el desbordamiento del b\u00fafer no deber\u00eda considerarse una vulnerabilidad de seguridad. Adjunte la salida del siguiente script bash a un initramfs existente y observe cualquier ruta /initramfs_test_fname_overrunAA* creada. Por ejemplo, ./reproducer.sh | Es m\u00e1s f\u00e1cil observar memoria no inicializada distinta de cero cuando se comprime la salida, ya que desbordar\u00e1 el mont\u00f3n asignado @out_buf en __gunzip(), en lugar del bloque initrd_start+initrd_size. ---- reproducter.sh ---- nilchar=\\\"A\\\" # cambia a \\\"\\\\0\\\" para terminar correctamente en cero / rellenar magic=\\\"070701\\\" ino=1 mode=$(( 0100777 )) uid=0 gid=0 nlink=1 mtime=1 filesize=0 devmajor=0 devminor=1 rdevmajor=0 rdevminor=0 csum=0 fname=\\\"initramfs_test_fname_overrun\\\" namelen=$(( ${#fname} + 1 )) # m\u00e1s uno para tener en cuenta el terminador printf \\\"%s%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%s\\\" \\\\ $magic $ino $mode $uid $gid $nlink $mtime $filesize \\\\ $devmajor $devminor $rdevmajor $rdevminor $namelen $csum $fname termpadlen=$(( 1 + ((4 - ((110 + $namelen) \u0026amp; 3)) % 4) )) printf \\\"%.s${nilchar}\\\" $(seq 1 $termpadlen) ---- reproducer.sh ---- Los campos de nombre de archivo de enlace simb\u00f3lico manejados en do_symlink() no se desbordar\u00e1n m\u00e1s all\u00e1 del segmento de datos, debido a la terminaci\u00f3n expl\u00edcita en cero del objetivo del enlace simb\u00f3lico. Corrija el desbordamiento del b\u00fafer de nombre de archivo abortando el FSM initramfs si alguna entrada cpio no lleva un terminador en cero en el desplazamiento esperado (name_len - 1).\"}],\"affected\":[{\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"affectedData\":[{\"vendor\":\"Linux\",\"product\":\"Linux\",\"defaultStatus\":\"unaffected\",\"programFiles\":[\"init/initramfs.c\"],\"repo\":\"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\",\"versions\":[{\"version\":\"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\",\"lessThan\":\"bb7ac96670ab1d8d681015f9d66e45dad579af4d\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\",\"lessThan\":\"c509b1acbd867d9e09580fe059a924cb5825afb1\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\",\"lessThan\":\"d3df9f26cff97beaa5643e551031795d5d5cddbe\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\",\"lessThan\":\"6983b8ac787b3add5571cda563574932a59a99bb\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\",\"lessThan\":\"f892ddcf9f645380c358e73653cb0900f6bc9eb8\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\",\"lessThan\":\"1a423bbbeaf9e3e20c4686501efd9b661fe834db\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\",\"lessThan\":\"49d01e736c3045319e030d1e75fb983011abaca7\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\",\"lessThan\":\"fb83b093f75806333b6f4ae29b158d2e0e3ec971\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\",\"lessThan\":\"e017671f534dd3f568db9e47b0583e853d2da9b5\",\"versionType\":\"git\",\"status\":\"affected\"}]},{\"vendor\":\"Linux\",\"product\":\"Linux\",\"defaultStatus\":\"affected\",\"programFiles\":[\"init/initramfs.c\"],\"repo\":\"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\",\"versions\":[{\"version\":\"2.6.12\",\"status\":\"affected\"},{\"version\":\"0\",\"lessThan\":\"2.6.12\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"4.19.325\",\"lessThanOrEqual\":\"4.19.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"5.4.287\",\"lessThanOrEqual\":\"5.4.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"5.10.231\",\"lessThanOrEqual\":\"5.10.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"5.15.174\",\"lessThanOrEqual\":\"5.15.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.1.120\",\"lessThanOrEqual\":\"6.1.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.6.64\",\"lessThanOrEqual\":\"6.6.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.11.11\",\"lessThanOrEqual\":\"6.11.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.12.2\",\"lessThanOrEqual\":\"6.12.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.13\",\"lessThanOrEqual\":\"*\",\"versionType\":\"original_commit_for_fix\",\"status\":\"unaffected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-787\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.6.12\",\"versionEndExcluding\":\"4.19.325\",\"matchCriteriaId\":\"FAEB49A0-3B16-46DF-AA21-AD4136295A41\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.20\",\"versionEndExcluding\":\"6.6.64\",\"matchCriteriaId\":\"D42B3E7C-85DF-4DBF-A6EC-E45F69FF2DCA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.11.11\",\"matchCriteriaId\":\"21434379-192D-472F-9B54-D45E3650E893\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.12\",\"versionEndExcluding\":\"6.12.2\",\"matchCriteriaId\":\"D8882B1B-2ABC-4838-AC1D-DBDBB5764776\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1a423bbbeaf9e3e20c4686501efd9b661fe834db\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/49d01e736c3045319e030d1e75fb983011abaca7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/6983b8ac787b3add5571cda563574932a59a99bb\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/bb7ac96670ab1d8d681015f9d66e45dad579af4d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/c509b1acbd867d9e09580fe059a924cb5825afb1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d3df9f26cff97beaa5643e551031795d5d5cddbe\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e017671f534dd3f568db9e47b0583e853d2da9b5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/f892ddcf9f645380c358e73653cb0900f6bc9eb8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/fb83b093f75806333b6f4ae29b158d2e0e3ec971\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.