What is CVE-2024-35905?

CVE-2024-35905 is a High severity Linux kernel vulnerability with a CVSS score of 7.8 out of 10. CVE-2024-35905 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2024-35905?

CVE-2024-35905 has a CVSS score of 7.8 out of 10, rated High severity. The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Is there a patch available for CVE-2024-35905?

No patch is currently available for CVE-2024-35905. Monitor the NIST NVD and your Linux distribution's security advisories for updates.

Is CVE-2024-35905 actively exploited?

CVE-2024-35905 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2024-35905

High

In the Linux kernel, the following vulnerability has been resolved: bpf: Protect against int overflow for stack access size This patch re-introduces protection against the size of access to stack memory being negative; the access size can appear negative as a result of overflowing its signed int representation. This should not actually happen, as there are other protections along the way, but we should protect against it anyway. One code path was missing such protections (fixed in the previous patch in the series), causing out-of-bounds array accesses in check_stack_range_initialized(). This patch causes the verification of a program with such a non-sensical access size to fail. This check used to exist in a more indirect way, but was inadvertendly removed in a833a17aeac7.

Package Linux Kernel

Published 2024-05-19

Last modified 2026-05-12

CVSS version 3.1

Patch available

Awaiting data

CVSS 3.1 score

7.8

out of 10

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Vector string

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Weakness type

CWE-129

CVE-2024-35905 is classified as CWE-129

See CWE-129 on MITRE CWE for full details on this weakness type.

References

The following references provide additional information about CVE-2024-35905 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Debian Security
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html

Mailing List
Cert-Portal
https://cert-portal.siemens.com/productcert/html/ssa-265688.html
Kernel patch commit
https://git.kernel.org/stable/c/203a68151e8eeb331d4a64ab78303f3a15faf103
Patch
Kernel patch commit
https://git.kernel.org/stable/c/37dc1718dc0c4392dbfcb9adec22a776e745dd69
Patch
Kernel patch commit
https://git.kernel.org/stable/c/3f0784b2f1eb9147973d8c43ba085c5fdf44ff69
Patch

6 patch commits total View all on NVD

Details

CVE ID CVE-2024-35905

Severity High

CVSS score 7.8 / 10

CVSS version 3.1

Published 2024-05-19

Modified 2026-05-12

KEV No

Patch Awaiting data

Package linux

Frequently asked questions

What is CVE-2024-35905?

CVE-2024-35905 is a High severity Linux kernel vulnerability with a CVSS score of 7.8 out of 10 . CVE-2024-35905 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
What is the CVSS score for CVE-2024-35905?

CVE-2024-35905 has a CVSS score of 7.8 out of 10, rated High severity (CVSS 3.1). The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
Is there a patch available for CVE-2024-35905?

No patch is currently available for CVE-2024-35905. Monitor the NIST NVD and your Linux distribution's security advisories for updates.
Is CVE-2024-35905 actively exploited?

No — CVE-2024-35905 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.