What is GHSA-vq8p-qg57-9728?

GHSA-vq8p-qg57-9728 is a security advisory published by GitHub Security Advisories with Medium severity. In the Linux kernel, the following vulnerability has been resolved: nvmet: always initialize cqe...

Which CVE IDs does GHSA-vq8p-qg57-9728 cover?

GHSA-vq8p-qg57-9728 covers the following CVE IDs: CVE-2024-41079. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-vq8p-qg57-9728?

GHSA-vq8p-qg57-9728 has a CVSS v3 base score of 5.5, published by GitHub Security Advisories.

GHSA-vq8p-qg57-9728MediumCVSS 5.5

In the Linux kernel, the following vulnerability has been resolved: nvmet: always initialize cqe...

Vendor

GitHub Security Advisories

Published

July 29, 2024

Last Modified

June 1, 2026

🔗 CVE IDs covered (1)

CVE-2024-41079 →

📋 Description

In the Linux kernel, the following vulnerability has been resolved:

nvmet: always initialize cqe.result

The spec doesn't mandate that the first two double words (aka results) for the command queue entry need to be set to 0 when they are not used (not specified). Though, the target implemention returns 0 for TCP and FC but not for RDMA.

Let's make RDMA behave the same and thus explicitly initializing the result field. This prevents leaking any data from the stack.

🔗 References (8)

https://nvd.nist.gov/vuln/detail/CVE-2024-41079
https://git.kernel.org/stable/c/0990e8a863645496b9e3f91cfcfd63cd95c80319
https://git.kernel.org/stable/c/10967873b80742261527a071954be8b54f0f8e4d
https://git.kernel.org/stable/c/30d35b24b7957922f81cfdaa66f2e1b1e9b9aed2
https://git.kernel.org/stable/c/cd0c1b8e045a8d2785342b385cb2684d9b48e426
https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
https://git.kernel.org/stable/c/c6a2cf8b0764f3ba7d9bff58c8775a6d4476bb29
https://github.com/advisories/GHSA-vq8p-qg57-9728