{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-08T03:12:58.278","vulnerabilities":[{"cve":{"id":"CVE-2024-57878","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-01-11T15:15:08.190","lastModified":"2025-10-01T20:17:59.500","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\narm64: ptrace: fix partial SETREGSET for NT_ARM_FPMR\n\nCurrently fpmr_set() doesn't initialize the temporary 'fpmr' variable,\nand a SETREGSET call with a length of zero will leave this\nuninitialized. Consequently an arbitrary value will be written back to\ntarget->thread.uw.fpmr, potentially leaking up to 64 bits of memory from\nthe kernel stack. The read is limited to a specific slot on the stack,\nand the issue does not provide a write mechanism.\n\nFix this by initializing the temporary value before copying the regset\nfrom userspace, as for other regsets (e.g. NT_PRSTATUS, NT_PRFPREG,\nNT_ARM_SYSTEM_CALL). In the case of a zero-length write, the existing\ncontents of FPMR will be retained.\n\nBefore this patch:\n\n| # ./fpmr-test\n| Attempting to write NT_ARM_FPMR::fpmr = 0x900d900d900d900d\n| SETREGSET(nt=0x40e, len=8) wrote 8 bytes\n|\n| Attempting to read NT_ARM_FPMR::fpmr\n| GETREGSET(nt=0x40e, len=8) read 8 bytes\n| Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d\n|\n| Attempting to write NT_ARM_FPMR (zero length)\n| SETREGSET(nt=0x40e, len=0) wrote 0 bytes\n|\n| Attempting to read NT_ARM_FPMR::fpmr\n| GETREGSET(nt=0x40e, len=8) read 8 bytes\n| Read NT_ARM_FPMR::fpmr = 0xffff800083963d50\n\nAfter this patch:\n\n| # ./fpmr-test\n| Attempting to write NT_ARM_FPMR::fpmr = 0x900d900d900d900d\n| SETREGSET(nt=0x40e, len=8) wrote 8 bytes\n|\n| Attempting to read NT_ARM_FPMR::fpmr\n| GETREGSET(nt=0x40e, len=8) read 8 bytes\n| Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d\n|\n| Attempting to write NT_ARM_FPMR (zero length)\n| SETREGSET(nt=0x40e, len=0) wrote 0 bytes\n|\n| Attempting to read NT_ARM_FPMR::fpmr\n| GETREGSET(nt=0x40e, len=8) read 8 bytes\n| Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d"},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: arm64: ptrace: corrección de SETREGSET parcial para NT_ARM_FPMR Actualmente, fpmr_set() no inicializa la variable temporal 'fpmr', y una llamada a SETREGSET con una longitud de cero la dejará sin inicializar. En consecuencia, se volverá a escribir un valor arbitrario en target->thread.uw.fpmr, lo que podría provocar una pérdida de hasta 64 bits de memoria de la pila del kernel. La lectura está limitada a una ranura específica en la pila, y el problema no proporciona un mecanismo de escritura. Corrija esto inicializando el valor temporal antes de copiar el conjunto de registros desde el espacio de usuario, como para otros conjuntos de registros (por ejemplo, NT_PRSTATUS, NT_PRFPREG, NT_ARM_SYSTEM_CALL). En el caso de una escritura de longitud cero, se conservarán los contenidos existentes de FPMR. Antes de este parche: | # ./fpmr-test | Intentando escribir NT_ARM_FPMR::fpmr = 0x900d900d900d900d | SETREGSET(nt=0x40e, len=8) escribió 8 bytes | | Intentando leer NT_ARM_FPMR::fpmr | GETREGSET(nt=0x40e, len=8) leyó 8 bytes | Leído NT_ARM_FPMR::fpmr = 0x900d900d900d900d | | Intentando escribir NT_ARM_FPMR (longitud cero) | SETREGSET(nt=0x40e, len=0) escribió 0 bytes | | Intentando leer NT_ARM_FPMR::fpmr | GETREGSET(nt=0x40e, len=8) leyó 8 bytes | Leer NT_ARM_FPMR::fpmr = 0xffff800083963d50 Después de este parche: | # ./fpmr-test | Intentando escribir NT_ARM_FPMR::fpmr = 0x900d900d900d900d | SETREGSET(nt=0x40e, len=8) escribió 8 bytes | | Intentando leer NT_ARM_FPMR::fpmr | GETREGSET(nt=0x40e, len=8) leyó 8 bytes | Leer NT_ARM_FPMR::fpmr = 0x900d900d900d900d | | Intentando escribir NT_ARM_FPMR (longitud cero) | SETREGSET(nt=0x40e, len=0) escribió 0 bytes | | Intentando leer NT_ARM_FPMR::fpmr | GETREGSET(nt=0x40e, len=8) leer 8 bytes | Leer NT_ARM_FPMR::fpmr = 0x900d900d900d900d"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":4.2},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":4.2}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-908"}]},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-908"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.9","versionEndExcluding":"6.12.5","matchCriteriaId":"EF8BDA69-3016-4248-8055-EA7662336040"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:*","matchCriteriaId":"62567B3C-6CEE-46D0-BC2E-B3717FBF7D13"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/8ab73c34e3c5b580721696665eabd799346bc50b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f5d71291841aecfe5d8435da2dfa7f58ccd18bc8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}}]}