What is CVE-2024-40902?

CVE-2024-40902 is a High severity Linux kernel vulnerability with a CVSS score of 7.8 out of 10. CVE-2024-40902 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2024-40902?

CVE-2024-40902 has a CVSS score of 7.8 out of 10, rated High severity. The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Is there a patch available for CVE-2024-40902?

No patch is currently available for CVE-2024-40902. Monitor the NIST NVD and your Linux distribution's security advisories for updates.

Is CVE-2024-40902 actively exploited?

CVE-2024-40902 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2024-40902

High

In the Linux kernel, the following vulnerability has been resolved: jfs: xattr: fix buffer overflow for invalid xattr When an xattr size is not what is expected, it is printed out to the kernel log in hex format as a form of debugging. But when that xattr size is bigger than the expected size, printing it out can cause an access off the end of the buffer. Fix this all up by properly restricting the size of the debug hex dump in the kernel log.

Package Linux Kernel

Published 2024-07-12

Last modified 2025-11-03

CVSS version 3.1

Patch available

Awaiting data

CVSS 3.1 score

7.8

out of 10

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Vector string

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Weakness type

CWE-120

CVE-2024-40902 is classified as CWE-120

See CWE-120 on MITRE CWE for full details on this weakness type.

References

The following references provide additional information about CVE-2024-40902 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Debian Security
https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Kernel patch commit
https://git.kernel.org/stable/c/1e84c9b1838152a87cf453270a5fa75c5037e83a
Patch
Kernel patch commit
https://git.kernel.org/stable/c/33aecc5799c93d3ee02f853cb94e201f9731f123
Patch
Kernel patch commit
https://git.kernel.org/stable/c/4598233d9748fe4db4e13b9f473588aa25e87d69
Patch

8 patch commits total View all on NVD

Details

CVE ID CVE-2024-40902

Severity High

CVSS score 7.8 / 10

CVSS version 3.1

Published 2024-07-12

Modified 2025-11-03

KEV No

Patch Awaiting data

Package linux

Frequently asked questions

What is CVE-2024-40902?

CVE-2024-40902 is a High severity Linux kernel vulnerability with a CVSS score of 7.8 out of 10 . CVE-2024-40902 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
What is the CVSS score for CVE-2024-40902?

CVE-2024-40902 has a CVSS score of 7.8 out of 10, rated High severity (CVSS 3.1). The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
Is there a patch available for CVE-2024-40902?

No patch is currently available for CVE-2024-40902. Monitor the NIST NVD and your Linux distribution's security advisories for updates.
Is CVE-2024-40902 actively exploited?

No — CVE-2024-40902 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.