CVE-2024-42283: net: nexthop: Initialize all fields in dumped nexthops
In the Linux kernel, the following vulnerability has been resolved:
net: nexthop: Initialize all fields in dumped nexthops
struct nexthop_grp contains two reserved fields that are not initialized by
nla_put_nh_group(), and carry garbage. This can be observed e.g. with
strace (edited for clarity):
# ip nexthop add id 1 dev lo
# ip nexthop add id 101 group 1
# strace -e recvmsg ip nexthop get id 101
...
recvmsg(... [{nla_len=12, nla_type=NHA_GROUP},
[{id=1, weight=0, resvd1=0x69, resvd2=0x67}]] ...) = 52
The fields are reserved and therefore not currently used. But as they are, they
leak kernel memory, and the fact they are not just zero complicates repurposing
of the fields for new ends. Initialize the full structure.
Security readout for executives and security teams
Plain-English summary
CVE-2024-42283 is a Linux kernel information exposure issue. When nexthop group data is dumped, two reserved fields can contain uninitialized kernel memory instead of zeros. The source states those fields are not currently used, reducing immediate business urgency, but affected systems should still receive vendor kernel updates.
Executive priority
Treat this as routine but necessary kernel hygiene unless vendor guidance elevates impact for a specific product. It is a memory disclosure issue with no cited active exploitation, but it affects core infrastructure software and should be resolved through normal patch cycles.
Technical view
The flaw is in Linux net/nexthop handling. nla_put_nh_group() did not initialize all fields in struct nexthop_grp before returning nexthop group attributes, causing reserved bytes to carry stale kernel data. The fix initializes the full structure before exposure through netlink dumps.
Likely exposure
Exposure is most relevant to Linux systems using affected kernel versions with nexthop support. The bundle lists Linux as affected and references stable kernel fixes plus Debian and Siemens advisories. Product-specific exposure depends on distribution, appliance, or vendor kernel packaging.
Exploitation context
The bundle does not show CISA KEV listing, active exploitation, public exploit availability, or remote code execution. The described impact is kernel memory disclosure through nexthop dump output. Evidence for practical abuse is incomplete in the provided sources.
Researcher notes
Focus validation on kernel provenance, not only upstream version strings. Downstream vendors may backport the fix without changing major kernel versions. The reserved fields are reported as unused, so impact assessment should distinguish confirmed disclosure from speculative future field reuse concerns.
Mitigation direction
Apply vendor kernel updates that include the stable Linux fixes.
Check Debian LTS and device vendor advisories for packaged fixes.
Prioritize internet-facing or multi-tenant Linux systems first.
Track Siemens advisory guidance for affected industrial products.
If no vendor fix is available, follow vendor risk guidance.
Validation and detection
Inventory Linux kernel versions across servers, appliances, and containers hosts.
Confirm whether vendor kernels include the referenced stable fixes.
Review package advisories for Debian LTS or affected downstream products.
Check whether nexthop functionality is present on exposed systems.
Document residual risk where vendor status remains unclear.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2024-42283 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.