CVE-2024-42076: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: can: j1939: Initialize unused data in j1939_send_one() syzbot reported kernel-infoleak in raw_recvmsg() [1]. j1939_send_one() creates full frame including unused data, but it doesn't initialize it. This causes the kernel-infoleak issue. Fix this by initializing unused data. [1] BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline] BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline] BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline] BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline] BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185 instrument_copy_to_user include/linux/instrumented.h:114 [inline] copy_to_user_iter lib/iov_iter.c:24 [inline] iterate_ubuf include/linux/iov_iter.h:29 [inline] iterate_and_advance2 include/linux/iov_iter.h:245 [inline] iterate_and_advance include/linux/iov_iter.h:271 [inline] _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185 copy_to_iter include/linux/uio.h:196 [inline] memcpy_to_msg include/linux/skbuff.h:4113 [inline] raw_recvmsg+0x2b8/0x9e0 net/can/raw.c:1008 sock_recvmsg_nosec net/socket.c:1046 [inline] sock_recvmsg+0x2c4/0x340 net/socket.c:1068 ____sys_recvmsg+0x18a/0x620 net/socket.c:2803 ___sys_recvmsg+0x223/0x840 net/socket.c:2845 do_recvmmsg+0x4fc/0xfd0 net/socket.c:2939 __sys_recvmmsg net/socket.c:3018 [inline] __do_sys_recvmmsg net/socket.c:3041 [inline] __se_sys_recvmmsg net/socket.c:3034 [inline] __x64_sys_recvmmsg+0x397/0x490 net/socket.c:3034 x64_sys_call+0xf6c/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:300 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:3804 [inline] slab_alloc_node mm/slub.c:3845 [inline] kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577 __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668 alloc_skb include/linux/skbuff.h:1313 [inline] alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504 sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795 sock_alloc_send_skb include/net/sock.h:1842 [inline] j1939_sk_alloc_skb net/can/j1939/socket.c:878 [inline] j1939_sk_send_loop net/can/j1939/socket.c:1142 [inline] j1939_sk_sendmsg+0xc0a/0x2730 net/can/j1939/socket.c:1277 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:745 ____sys_sendmsg+0x877/0xb60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674 x64_sys_call+0xc4b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:47 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Bytes 12-15 of 16 are uninitialized Memory access of size 16 starts at ffff888120969690 Data copied to user address 00000000200017c0 CPU: 1 PID: 5050 Comm: syz-executor198 Not tainted 6.9.0-rc5-syzkaller-00031-g71b1543c83d6 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
AI Analysis
Technical Summary
CVE-2024-42076 is a vulnerability identified in the Linux kernel, specifically within the Controller Area Network (CAN) protocol stack implementation for J1939, a higher-layer protocol used in automotive and industrial environments. The issue arises in the function j1939_send_one(), which constructs a full CAN frame but fails to initialize certain unused data bytes within the frame. This results in a kernel information leak, as uninitialized kernel memory is inadvertently exposed to user space during socket operations involving raw_recvmsg(). The vulnerability was detected by syzbot, a kernel fuzzing tool, which reported kernel memory sanitizer (KMSAN) warnings indicating that uninitialized data was copied to user space. The root cause is that bytes 12-15 of a 16-byte data structure remain uninitialized before being sent to user space, potentially leaking sensitive kernel memory contents. The flaw is located in the CAN J1939 socket send path and affects Linux kernel versions prior to the patch. The vulnerability does not require authentication or special privileges beyond the ability to send or receive CAN J1939 messages, which may be accessible on systems with CAN interfaces enabled. Exploitation could allow local attackers or processes with access to CAN sockets to read uninitialized kernel memory, potentially disclosing sensitive information such as kernel pointers or other data that could aid in further attacks like privilege escalation or bypassing kernel security mitigations. The vulnerability has been fixed by initializing the previously unused data in j1939_send_one(), preventing the leak. No known exploits are reported in the wild as of the publication date. The vulnerability affects Linux kernel versions prior to the patch commit identified by the hash 9d71dd0c70099914fcd063135da3c580865e924c. The issue is relevant for systems using the CAN J1939 protocol, commonly found in automotive, industrial control, and embedded Linux environments.
Potential Impact
For European organizations, the impact of CVE-2024-42076 depends on the deployment of Linux systems utilizing CAN J1939 interfaces. Industries such as automotive manufacturing, transportation, industrial automation, and critical infrastructure that rely on embedded Linux devices with CAN bus communication are most at risk. The information leak could expose kernel memory contents, potentially revealing sensitive data or kernel pointers that facilitate further exploitation, including privilege escalation or kernel address space layout randomization (KASLR) bypass. This could lead to unauthorized access, disruption of industrial control systems, or compromise of safety-critical automotive systems. Although exploitation requires local access to CAN J1939 sockets, many embedded or industrial devices run Linux kernels with CAN support enabled and may be accessible internally or via networked gateways. The leak undermines confidentiality and could be a stepping stone for attackers to gain deeper control over affected devices. European organizations operating connected vehicles, smart factories, or critical infrastructure with Linux-based CAN devices should consider this vulnerability a significant risk to operational security and safety. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits leveraging this information leak.
Mitigation Recommendations
1. Apply the official Linux kernel patches that initialize unused data in j1939_send_one() as soon as they become available for your kernel version. Monitor vendor advisories for updated kernel packages. 2. For embedded or industrial Linux devices, coordinate with hardware and software vendors to ensure updated firmware or kernel versions are deployed promptly. 3. Restrict access to CAN J1939 sockets to trusted users and processes only. Implement strict access controls and use Linux capabilities or SELinux/AppArmor policies to limit socket creation and usage. 4. Disable CAN J1939 protocol support on systems where it is not required to reduce the attack surface. 5. Monitor system logs and network traffic for unusual CAN socket activity that may indicate attempts to exploit this vulnerability. 6. Conduct security audits of embedded Linux devices in operational environments to verify kernel versions and patch status. 7. For critical infrastructure and automotive environments, implement network segmentation and isolation to limit exposure of CAN interfaces to untrusted networks or users. 8. Employ runtime security tools that can detect anomalous kernel memory access or information leak attempts.
Affected Countries
Germany, France, Italy, United Kingdom, Netherlands, Sweden, Finland
CVE-2024-42076: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: can: j1939: Initialize unused data in j1939_send_one() syzbot reported kernel-infoleak in raw_recvmsg() [1]. j1939_send_one() creates full frame including unused data, but it doesn't initialize it. This causes the kernel-infoleak issue. Fix this by initializing unused data. [1] BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline] BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline] BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline] BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline] BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185 instrument_copy_to_user include/linux/instrumented.h:114 [inline] copy_to_user_iter lib/iov_iter.c:24 [inline] iterate_ubuf include/linux/iov_iter.h:29 [inline] iterate_and_advance2 include/linux/iov_iter.h:245 [inline] iterate_and_advance include/linux/iov_iter.h:271 [inline] _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185 copy_to_iter include/linux/uio.h:196 [inline] memcpy_to_msg include/linux/skbuff.h:4113 [inline] raw_recvmsg+0x2b8/0x9e0 net/can/raw.c:1008 sock_recvmsg_nosec net/socket.c:1046 [inline] sock_recvmsg+0x2c4/0x340 net/socket.c:1068 ____sys_recvmsg+0x18a/0x620 net/socket.c:2803 ___sys_recvmsg+0x223/0x840 net/socket.c:2845 do_recvmmsg+0x4fc/0xfd0 net/socket.c:2939 __sys_recvmmsg net/socket.c:3018 [inline] __do_sys_recvmmsg net/socket.c:3041 [inline] __se_sys_recvmmsg net/socket.c:3034 [inline] __x64_sys_recvmmsg+0x397/0x490 net/socket.c:3034 x64_sys_call+0xf6c/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:300 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:3804 [inline] slab_alloc_node mm/slub.c:3845 [inline] kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577 __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668 alloc_skb include/linux/skbuff.h:1313 [inline] alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504 sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795 sock_alloc_send_skb include/net/sock.h:1842 [inline] j1939_sk_alloc_skb net/can/j1939/socket.c:878 [inline] j1939_sk_send_loop net/can/j1939/socket.c:1142 [inline] j1939_sk_sendmsg+0xc0a/0x2730 net/can/j1939/socket.c:1277 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:745 ____sys_sendmsg+0x877/0xb60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674 x64_sys_call+0xc4b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:47 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Bytes 12-15 of 16 are uninitialized Memory access of size 16 starts at ffff888120969690 Data copied to user address 00000000200017c0 CPU: 1 PID: 5050 Comm: syz-executor198 Not tainted 6.9.0-rc5-syzkaller-00031-g71b1543c83d6 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
AI-Powered Analysis
Technical Analysis
CVE-2024-42076 is a vulnerability identified in the Linux kernel, specifically within the Controller Area Network (CAN) protocol stack implementation for J1939, a higher-layer protocol used in automotive and industrial environments. The issue arises in the function j1939_send_one(), which constructs a full CAN frame but fails to initialize certain unused data bytes within the frame. This results in a kernel information leak, as uninitialized kernel memory is inadvertently exposed to user space during socket operations involving raw_recvmsg(). The vulnerability was detected by syzbot, a kernel fuzzing tool, which reported kernel memory sanitizer (KMSAN) warnings indicating that uninitialized data was copied to user space. The root cause is that bytes 12-15 of a 16-byte data structure remain uninitialized before being sent to user space, potentially leaking sensitive kernel memory contents. The flaw is located in the CAN J1939 socket send path and affects Linux kernel versions prior to the patch. The vulnerability does not require authentication or special privileges beyond the ability to send or receive CAN J1939 messages, which may be accessible on systems with CAN interfaces enabled. Exploitation could allow local attackers or processes with access to CAN sockets to read uninitialized kernel memory, potentially disclosing sensitive information such as kernel pointers or other data that could aid in further attacks like privilege escalation or bypassing kernel security mitigations. The vulnerability has been fixed by initializing the previously unused data in j1939_send_one(), preventing the leak. No known exploits are reported in the wild as of the publication date. The vulnerability affects Linux kernel versions prior to the patch commit identified by the hash 9d71dd0c70099914fcd063135da3c580865e924c. The issue is relevant for systems using the CAN J1939 protocol, commonly found in automotive, industrial control, and embedded Linux environments.
Potential Impact
For European organizations, the impact of CVE-2024-42076 depends on the deployment of Linux systems utilizing CAN J1939 interfaces. Industries such as automotive manufacturing, transportation, industrial automation, and critical infrastructure that rely on embedded Linux devices with CAN bus communication are most at risk. The information leak could expose kernel memory contents, potentially revealing sensitive data or kernel pointers that facilitate further exploitation, including privilege escalation or kernel address space layout randomization (KASLR) bypass. This could lead to unauthorized access, disruption of industrial control systems, or compromise of safety-critical automotive systems. Although exploitation requires local access to CAN J1939 sockets, many embedded or industrial devices run Linux kernels with CAN support enabled and may be accessible internally or via networked gateways. The leak undermines confidentiality and could be a stepping stone for attackers to gain deeper control over affected devices. European organizations operating connected vehicles, smart factories, or critical infrastructure with Linux-based CAN devices should consider this vulnerability a significant risk to operational security and safety. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits leveraging this information leak.
Mitigation Recommendations
1. Apply the official Linux kernel patches that initialize unused data in j1939_send_one() as soon as they become available for your kernel version. Monitor vendor advisories for updated kernel packages. 2. For embedded or industrial Linux devices, coordinate with hardware and software vendors to ensure updated firmware or kernel versions are deployed promptly. 3. Restrict access to CAN J1939 sockets to trusted users and processes only. Implement strict access controls and use Linux capabilities or SELinux/AppArmor policies to limit socket creation and usage. 4. Disable CAN J1939 protocol support on systems where it is not required to reduce the attack surface. 5. Monitor system logs and network traffic for unusual CAN socket activity that may indicate attempts to exploit this vulnerability. 6. Conduct security audits of embedded Linux devices in operational environments to verify kernel versions and patch status. 7. For critical infrastructure and automotive environments, implement network segmentation and isolation to limit exposure of CAN interfaces to untrusted networks or users. 8. Employ runtime security tools that can detect anomalous kernel memory access or information leak attempts.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-29T15:50:41.169Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9827c4522896dcbe1993
Added to database: 5/21/2025, 9:08:55 AM
Last enriched: 6/29/2025, 4:55:24 AM
Last updated: 8/11/2025, 12:32:05 AM
Views: 15
Related Threats
CVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.