CVE-2024-43873

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-43873

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-43873.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-43873

Downstream

BELL-CVE-2024-43873

DEBIAN-CVE-2024-43873

DLA-4008-1

OESA-2024-2590

RHSA-2025:6966

SUSE-SU-2024:3190-1

SUSE-SU-2024:3194-1

SUSE-SU-2024:3195-1

SUSE-SU-2024:3209-1

SUSE-SU-2024:3383-1

SUSE-SU-2024:3483-1

UBUNTU-CVE-2024-43873

USN-7100-1

USN-7100-2

USN-7123-1

USN-7144-1

USN-7154-1

USN-7154-2

USN-7155-1

USN-7156-1

USN-7194-1

USN-7196-1

Related

Published

2024-08-21T01:15:11Z

Modified

2025-08-09T19:01:27Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved:

vhost/vsock: always initialize seqpacket_allow

There are two issues around seqpacketallow: 1. seqpacketallow is not initialized when socket is created. Thus if features are never set, it will be read uninitialized. 2. if VIRTIOVSOCKFSEQPACKET is set and then cleared, then seqpacketallow will not be cleared appropriately (existing apps I know about don't usually do this but it's legal and there's no way to be sure no one relies on this).

To fix: - initialize seqpacketallow after allocation - set it unconditionally in setfeatures

References

Affected packages