CVE-2024-35840 - Vulnerability Details - OpenCVE

In the Linux kernel, the following vulnerability has been resolved: mptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect() subflow_finish_connect() uses four fields (backup, join_id, thmac, none) that may contain garbage unless OPTION_MPTCP_MPJ_SYNACK has been set in mptcp_parse_option()

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Redhat	Enterprise Linux

No data.

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 9
kernel-0:5.14.0-503.11.1.el9_5	cpe:/a:redhat:enterprise_linux:9	RHSA-2024:9315	2024-11-12T00:00:00Z
kernel-0:5.14.0-503.11.1.el9_5	cpe:/o:redhat:enterprise_linux:9	RHSA-2024:9315	2024-11-12T00:00:00Z

References

Link	Providers
https://git.kernel.org/stable/c/413b913507326972135d2977975dbff8b7f2c453
https://git.kernel.org/stable/c/51e4cb032d49ce094605f27e45eabebc0408893c
https://git.kernel.org/stable/c/76e8de7273a22a00d27e9b8b7d4d043d6433416a
https://git.kernel.org/stable/c/ad3e8f5c3d5c53841046ef7a947c04ad45a20721
https://git.kernel.org/stable/c/be1d9d9d38da922bd4beeec5b6dd821ff5a1dfeb
https://lore.kernel.org/linux-cve-announce/2024051756-CVE-2024-35840-99fa@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2024-35840
https://www.cve.org/CVERecord?id=CVE-2024-35840

History

Fri, 20 Dec 2024 08:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 13 Nov 2024 02:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat Redhat enterprise Linux
CPEs		cpe:/a:redhat:enterprise_linux:9 cpe:/o:redhat:enterprise_linux:9
Vendors & Products		Redhat Redhat enterprise Linux

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-05-17T14:27:31.166Z

Updated: 2025-05-04T09:06:35.802Z

Reserved: 2024-05-17T13:50:33.104Z

Link: CVE-2024-35840

Vulnrichment

Updated: 2024-08-02T03:21:48.782Z

NVD

Status : Awaiting Analysis

Published: 2024-05-17T15:15:21.090

Modified: 2024-11-21T09:21:01.193

Link: CVE-2024-35840

Redhat

Severity : Moderate

Publid Date: 2024-05-17T00:00:00Z

Links: CVE-2024-35840 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-35840", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-05-17T13:50:33.104Z", "datePublished": "2024-05-17T14:27:31.166Z", "dateUpdated": "2025-05-04T09:06:35.802Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T09:06:35.802Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect()\n\nsubflow_finish_connect() uses four fields (backup, join_id, thmac, none)\nthat may contain garbage unless OPTION_MPTCP_MPJ_SYNACK has been set\nin mptcp_parse_option()"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/mptcp/subflow.c"], "versions": [{"version": "f296234c98a8fcec94eec80304a873f635d350ea", "lessThan": "413b913507326972135d2977975dbff8b7f2c453", "status": "affected", "versionType": "git"}, {"version": "f296234c98a8fcec94eec80304a873f635d350ea", "lessThan": "51e4cb032d49ce094605f27e45eabebc0408893c", "status": "affected", "versionType": "git"}, {"version": "f296234c98a8fcec94eec80304a873f635d350ea", "lessThan": "ad3e8f5c3d5c53841046ef7a947c04ad45a20721", "status": "affected", "versionType": "git"}, {"version": "f296234c98a8fcec94eec80304a873f635d350ea", "lessThan": "76e8de7273a22a00d27e9b8b7d4d043d6433416a", "status": "affected", "versionType": "git"}, {"version": "f296234c98a8fcec94eec80304a873f635d350ea", "lessThan": "be1d9d9d38da922bd4beeec5b6dd821ff5a1dfeb", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/mptcp/subflow.c"], "versions": [{"version": "5.7", "status": "affected"}, {"version": "0", "lessThan": "5.7", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.148", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.75", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.14", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.7.2", "lessThanOrEqual": "6.7.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.8", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "5.15.148"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.1.75"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.6.14"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.7.2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.8"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/413b913507326972135d2977975dbff8b7f2c453"}, {"url": "https://git.kernel.org/stable/c/51e4cb032d49ce094605f27e45eabebc0408893c"}, {"url": "https://git.kernel.org/stable/c/ad3e8f5c3d5c53841046ef7a947c04ad45a20721"}, {"url": "https://git.kernel.org/stable/c/76e8de7273a22a00d27e9b8b7d4d043d6433416a"}, {"url": "https://git.kernel.org/stable/c/be1d9d9d38da922bd4beeec5b6dd821ff5a1dfeb"}], "title": "mptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect()", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-35840", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-17T17:16:03.221877Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:34:51.661Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:21:48.782Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/413b913507326972135d2977975dbff8b7f2c453", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/51e4cb032d49ce094605f27e45eabebc0408893c", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/ad3e8f5c3d5c53841046ef7a947c04ad45a20721", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/76e8de7273a22a00d27e9b8b7d4d043d6433416a", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/be1d9d9d38da922bd4beeec5b6dd821ff5a1dfeb", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/413b913507326972135d2977975dbff8b7f2c453", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/51e4cb032d49ce094605f27e45eabebc0408893c", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/ad3e8f5c3d5c53841046ef7a947c04ad45a20721", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/76e8de7273a22a00d27e9b8b7d4d043d6433416a", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/be1d9d9d38da922bd4beeec5b6dd821ff5a1dfeb", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:21:48.782Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-35840", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-17T17:16:03.221877Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:24.612Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "mptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect()", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "f296234c98a8fcec94eec80304a873f635d350ea", "lessThan": "413b913507326972135d2977975dbff8b7f2c453", "versionType": "git"}, {"status": "affected", "version": "f296234c98a8fcec94eec80304a873f635d350ea", "lessThan": "51e4cb032d49ce094605f27e45eabebc0408893c", "versionType": "git"}, {"status": "affected", "version": "f296234c98a8fcec94eec80304a873f635d350ea", "lessThan": "ad3e8f5c3d5c53841046ef7a947c04ad45a20721", "versionType": "git"}, {"status": "affected", "version": "f296234c98a8fcec94eec80304a873f635d350ea", "lessThan": "76e8de7273a22a00d27e9b8b7d4d043d6433416a", "versionType": "git"}, {"status": "affected", "version": "f296234c98a8fcec94eec80304a873f635d350ea", "lessThan": "be1d9d9d38da922bd4beeec5b6dd821ff5a1dfeb", "versionType": "git"}], "programFiles": ["net/mptcp/subflow.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5.7"}, {"status": "unaffected", "version": "0", "lessThan": "5.7", "versionType": "semver"}, {"status": "unaffected", "version": "5.15.148", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.75", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.14", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.7.2", "versionType": "semver", "lessThanOrEqual": "6.7.*"}, {"status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["net/mptcp/subflow.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/413b913507326972135d2977975dbff8b7f2c453"}, {"url": "https://git.kernel.org/stable/c/51e4cb032d49ce094605f27e45eabebc0408893c"}, {"url": "https://git.kernel.org/stable/c/ad3e8f5c3d5c53841046ef7a947c04ad45a20721"}, {"url": "https://git.kernel.org/stable/c/76e8de7273a22a00d27e9b8b7d4d043d6433416a"}, {"url": "https://git.kernel.org/stable/c/be1d9d9d38da922bd4beeec5b6dd821ff5a1dfeb"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect()\n\nsubflow_finish_connect() uses four fields (backup, join_id, thmac, none)\nthat may contain garbage unless OPTION_MPTCP_MPJ_SYNACK has been set\nin mptcp_parse_option()"}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.15.148", "versionStartIncluding": "5.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.1.75", "versionStartIncluding": "5.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.6.14", "versionStartIncluding": "5.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.7.2", "versionStartIncluding": "5.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.8", "versionStartIncluding": "5.7"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T09:06:35.802Z"}}}, "cveMetadata": {"cveId": "CVE-2024-35840", "state": "PUBLISHED", "dateUpdated": "2025-05-04T09:06:35.802Z", "dateReserved": "2024-05-17T13:50:33.104Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-05-17T14:27:31.166Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"affected_release": [{"advisory": "RHSA-2024:9315", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-503.11.1.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-11-12T00:00:00Z"}, {"advisory": "RHSA-2024:9315", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-503.11.1.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-11-12T00:00:00Z"}], "bugzilla": {"description": "kernel: mptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect()", "id": "2281282", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2281282"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nmptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect()\nsubflow_finish_connect() uses four fields (backup, join_id, thmac, none)\nthat may contain garbage unless OPTION_MPTCP_MPJ_SYNACK has been set\nin mptcp_parse_option()", "CVE-2024-35840 is a vulnerability in the Linux kernel\u2019s Multipath TCP (MPTCP) implementation. It occurs because the subflow_finish_connect() function may handle uninitialized data in certain fields if a specific MPTCP option (OPTION_MPTCP_MPJ_SYNACK) is not correctly set during option parsing. This could lead to unpredictable behavior in MPTCP connections. The issue has been resolved by ensuring proper initialization and handling of these fields."], "name": "CVE-2024-35840", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Under investigation", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Under investigation", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-05-17T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-35840\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-35840\nhttps://lore.kernel.org/linux-cve-announce/2024051756-CVE-2024-35840-99fa@gregkh/T"], "threat_severity": "Moderate"}