CVE-2024-42292: kobject_uevent: Fix OOB access within zap_modalias_env()
In the Linux kernel, the following vulnerability has been resolved:
kobject_uevent: Fix OOB access within zap_modalias_env()
zap_modalias_env() wrongly calculates size of memory block to move, so
will cause OOB memory access issue if variable MODALIAS is not the last
one within its @env parameter, fixed by correcting size to memmove.
Security readout for executives and security teams
Plain-English summary
CVE-2024-42292 is a Linux kernel memory-access bug in uevent handling. A kernel helper can move the wrong amount of memory when removing a MODALIAS environment value, causing out-of-bounds access. The public sources confirm kernel fixes, but do not provide CVSS, impact details, or active exploitation evidence.
Executive priority
Track and remediate through normal kernel patch management unless your environment includes sensitive appliances, embedded Linux, or delayed kernel-update channels. Escalate if a vendor later confirms exploitation, severe impact, or reachable attack paths.
Technical view
The flaw is in zap_modalias_env() within kobject_uevent handling. If MODALIAS is not the last entry in the env parameter, the function miscalculates the memmove size and may access memory out of bounds. Linux stable commits correct the size calculation.
Likely exposure
Systems running affected Linux kernel versions may be exposed, including downstream distributions and embedded products that carry the vulnerable kernel code. The bundle lists Linux as affected and includes Debian LTS and Siemens advisories, suggesting distribution and product-vendor tracking.
Exploitation context
The provided evidence does not show active exploitation, public exploit availability, or CISA KEV listing. The source bundle only states the kernel bug and fix. Treat exploitation likelihood as unproven until vendor advisories or threat intelligence say otherwise.
Researcher notes
Evidence is limited to the CVE description and fix references. No CVSS, CWE, privilege requirement, trigger path, or confirmed impact class is included. Further analysis should review the Linux stable patches and downstream vendor advisories without assuming exploitability.
Mitigation direction
Apply kernel updates from your Linux distribution or device vendor.
Prioritize systems with direct hardware, hotplug, or device-management exposure.
Check Debian LTS and Siemens advisories if those environments are present.
For custom kernels, verify the relevant Linux stable fix is backported.
Validation and detection
Inventory running kernel versions across servers, appliances, and embedded systems.
Compare kernels against vendor advisories and fixed package versions.
Confirm custom kernels include the zap_modalias_env() size correction.
Document exceptions where vendor guidance is unavailable or pending.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2024-42292 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.