What is CVE-2024-42318?

CVE-2024-42318 is a Medium severity Linux kernel vulnerability with a CVSS score of 5.5 out of 10. CVE-2024-42318 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2024-42318?

CVE-2024-42318 has a CVSS score of 5.5 out of 10, rated Medium severity. The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.

Is there a patch available for CVE-2024-42318?

No patch is currently available for CVE-2024-42318. Monitor the NIST NVD and your Linux distribution's security advisories for updates.

Is CVE-2024-42318 actively exploited?

CVE-2024-42318 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2024-42318

Medium

In the Linux kernel, the following vulnerability has been resolved: landlock: Don't lose track of restrictions on cred_transfer When a process' cred struct is replaced, this _almost_ always invokes the cred_prepare LSM hook; but in one special case (when KEYCTL_SESSION_TO_PARENT updates the parent's credentials), the cred_transfer LSM hook is used instead. Landlock only implements the cred_prepare hook, not cred_transfer, so KEYCTL_SESSION_TO_PARENT causes all information on Landlock restrictions to be lost. This basically means that a process with the ability to use the fork() and keyctl() syscalls can get rid of all Landlock restrictions on itself. Fix it by adding a cred_transfer hook that does the same thing as the existing cred_prepare hook. (Implemented by having hook_cred_prepare() call hook_cred_transfer() so that the two functions are less likely to accidentally diverge in the future.)

Package Linux Kernel

Published 2024-08-17

Last modified 2025-11-03

CVSS version 3.1

Patch available

Awaiting data

CVSS 3.1 score

5.5

out of 10

Medium

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

High

Vector string

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

The following references provide additional information about CVE-2024-42318 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Bugs
https://bugs.chromium.org/p/project-zero/issues/detail?id=2566

Issue Tracking Third Party Advisory
Kernel.org
https://lore.kernel.org/all/[email protected]/

Mailing List
Openwall
https://www.openwall.com/lists/oss-security/2024/08/17/2

Mailing List
Openwall
http://www.openwall.com/lists/oss-security/2024/08/17/2

Mailing List
Debian Security
https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
Kernel patch commit
https://git.kernel.org/stable/c/0d74fd54db0bd0c0c224bef0da8fc95ea9c9f36c
Patch
Kernel patch commit
https://git.kernel.org/stable/c/16896914bace82d7811c62f3b6d5320132384f49
Patch
Kernel patch commit
https://git.kernel.org/stable/c/39705a6c29f8a2b93cf5b99528a55366c50014d1
Patch

5 patch commits total View all on NVD

Details

CVE ID CVE-2024-42318

Severity Medium

CVSS score 5.5 / 10

CVSS version 3.1

Published 2024-08-17

Modified 2025-11-03

KEV No

Patch Awaiting data

Package linux

Frequently asked questions

What is CVE-2024-42318?

CVE-2024-42318 is a Medium severity Linux kernel vulnerability with a CVSS score of 5.5 out of 10 . CVE-2024-42318 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
What is the CVSS score for CVE-2024-42318?

CVE-2024-42318 has a CVSS score of 5.5 out of 10, rated Medium severity (CVSS 3.1). The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.
Is there a patch available for CVE-2024-42318?

No patch is currently available for CVE-2024-42318. Monitor the NIST NVD and your Linux distribution's security advisories for updates.
Is CVE-2024-42318 actively exploited?

No — CVE-2024-42318 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.