{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-58000", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-02-27T02:04:28.915Z", "datePublished": "2025-02-27T02:07:19.155Z", "dateUpdated": "2025-05-04T10:08:06.384Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T10:08:06.384Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: prevent reg-wait speculations\n\nWith *ENTER_EXT_ARG_REG instead of passing a user pointer with arguments\nfor the waiting loop the user can specify an offset into a pre-mapped\nregion of memory, in which case the\n[offset, offset + sizeof(io_uring_reg_wait)) will be intepreted as the\nargument.\n\nAs we address a kernel array using a user given index, it'd be a subject\nto speculation type of exploits. Use array_index_nospec() to prevent\nthat. Make sure to pass not the full region size but truncate by the\nmaximum offset allowed considering the structure size."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["io_uring/io_uring.c"], "versions": [{"version": "aa00f67adc2c0d6439f81b5a81ff181377c47a7e", "lessThan": "2a6de94df7bfa76d9850443547e7b3333f63a16a", "status": "affected", "versionType": "git"}, {"version": "aa00f67adc2c0d6439f81b5a81ff181377c47a7e", "lessThan": "29b95ac917927ce9f95bf38797e16333ecb489b1", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["io_uring/io_uring.c"], "versions": [{"version": "6.13", "status": "affected"}, {"version": "0", "lessThan": "6.13", "status": "unaffected", "versionType": "semver"}, {"version": "6.13.2", "lessThanOrEqual": "6.13.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.14", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.13.2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.14"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/2a6de94df7bfa76d9850443547e7b3333f63a16a"}, {"url": "https://git.kernel.org/stable/c/29b95ac917927ce9f95bf38797e16333ecb489b1"}], "title": "io_uring: prevent reg-wait speculations", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "6D4116B1-1BFD-4F23-BA84-169CC05FC5A3", "versionEndExcluding": "6.13.2", "versionStartIncluding": "6.13", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: prevent reg-wait speculations\n\nWith *ENTER_EXT_ARG_REG instead of passing a user pointer with arguments\nfor the waiting loop the user can specify an offset into a pre-mapped\nregion of memory, in which case the\n[offset, offset + sizeof(io_uring_reg_wait)) will be intepreted as the\nargument.\n\nAs we address a kernel array using a user given index, it'd be a subject\nto speculation type of exploits. Use array_index_nospec() to prevent\nthat. Make sure to pass not the full region size but truncate by the\nmaximum offset allowed considering the structure size."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: io_uring: evitar especulaciones de reg-wait Con *ENTER_EXT_ARG_REG en lugar de pasar un puntero de usuario con argumentos para el bucle de espera, el usuario puede especificar un desplazamiento en una regi\u00f3n de memoria preasignada, en cuyo caso [offset, offset + sizeof(io_uring_reg_wait)) se interpretar\u00e1 como el argumento. Como direccionamos una matriz del kernel usando un \u00edndice dado por el usuario, ser\u00eda un tema de tipo especulativo de exploits. Use array_index_nospec() para evitar eso. Aseg\u00farese de no pasar el tama\u00f1o completo de la regi\u00f3n, sino truncarlo por el desplazamiento m\u00e1ximo permitido considerando el tama\u00f1o de la estructura."}], "id": "CVE-2024-58000", "lastModified": "2025-10-23T17:48:41.140", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-02-27T02:15:14.033", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/29b95ac917927ce9f95bf38797e16333ecb489b1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2a6de94df7bfa76d9850443547e7b3333f63a16a"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: io_uring: prevent reg-wait speculations", "id": "2348639", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348639"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "draft"}, "cwe": "CWE-401", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nio_uring: prevent reg-wait speculations\nWith *ENTER_EXT_ARG_REG instead of passing a user pointer with arguments\nfor the waiting loop the user can specify an offset into a pre-mapped\nregion of memory, in which case the\n[offset, offset + sizeof(io_uring_reg_wait)) will be intepreted as the\nargument.\nAs we address a kernel array using a user given index, it'd be a subject\nto speculation type of exploits. Use array_index_nospec() to prevent\nthat. Make sure to pass not the full region size but truncate by the\nmaximum offset allowed considering the structure size."], "name": "CVE-2024-58000", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-02-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-58000\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-58000\nhttps://lore.kernel.org/linux-cve-announce/2025022642-CVE-2024-58000-4f74@gregkh/T"], "threat_severity": "Moderate"}

{"created": "2025-07-12T22:31:23.891307+00:00", "updated": "2025-07-12T22:31:23.891369+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}