{"api_version":"1","generated_at":"2026-05-13T18:23:59+00:00","cve":"CVE-2024-47742","urls":{"html":"https://cve.report/CVE-2024-47742","api":"https://cve.report/api/cve/CVE-2024-47742.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2024-47742","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2024-47742"},"summary":{"title":"firmware_loader: Block path traversal","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware_loader: Block path traversal\n\nMost firmware names are hardcoded strings, or are constructed from fairly\nconstrained format strings where the dynamic parts are just some hex\nnumbers or such.\n\nHowever, there are a couple codepaths in the kernel where firmware file\nnames contain string components that are passed through from a device or\nsemi-privileged userspace; the ones I could find (not counting interfaces\nthat require root privileges) are:\n\n - lpfc_sli4_request_firmware_update() seems to construct the firmware\n   filename from \"ModelName\", a string that was previously parsed out of\n   some descriptor (\"Vital Product Data\") in lpfc_fill_vpd()\n - nfp_net_fw_find() seems to construct a firmware filename from a model\n   name coming from nfp_hwinfo_lookup(pf->hwinfo, \"nffw.partno\"), which I\n   think parses some descriptor that was read from the device.\n   (But this case likely isn't exploitable because the format string looks\n   like \"netronome/nic_%s\", and there shouldn't be any *folders* starting\n   with \"netronome/nic_\". The previous case was different because there,\n   the \"%s\" is *at the start* of the format string.)\n - module_flash_fw_schedule() is reachable from the\n   ETHTOOL_MSG_MODULE_FW_FLASH_ACT netlink command, which is marked as\n   GENL_UNS_ADMIN_PERM (meaning CAP_NET_ADMIN inside a user namespace is\n   enough to pass the privilege check), and takes a userspace-provided\n   firmware name.\n   (But I think to reach this case, you need to have CAP_NET_ADMIN over a\n   network namespace that a special kind of ethernet device is mapped into,\n   so I think this is not a viable attack path in practice.)\n\nFix it by rejecting any firmware names containing \"..\" path components.\n\nFor what it's worth, I went looking and haven't found any USB device\ndrivers that use the firmware loader dangerously.","state":"PUBLISHED","assigner":"Linux","published_at":"2024-10-21 13:15:04","updated_at":"2026-05-12 19:07:08"},"problem_types":["CWE-22"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"7.8","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}}],"references":[{"url":"https://git.kernel.org/stable/c/6c4e13fdfcab34811c3143a0a03c05fec4e870ec","name":"https://git.kernel.org/stable/c/6c4e13fdfcab34811c3143a0a03c05fec4e870ec","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/c30558e6c5c9ad6c86459d9acce1520ceeab9ea6","name":"https://git.kernel.org/stable/c/c30558e6c5c9ad6c86459d9acce1520ceeab9ea6","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/7420c1bf7fc784e587b87329cc6dfa3dca537aa4","name":"https://git.kernel.org/stable/c/7420c1bf7fc784e587b87329cc6dfa3dca537aa4","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html","name":"https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/3d2411f4edcb649eaf232160db459bb4770b5251","name":"https://git.kernel.org/stable/c/3d2411f4edcb649eaf232160db459bb4770b5251","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/d1768e5535d3ded59f888637016e6f821f4e069f","name":"https://git.kernel.org/stable/c/d1768e5535d3ded59f888637016e6f821f4e069f","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/a77fc4acfd49fc6076e565445b2bc5fdc3244da4","name":"https://git.kernel.org/stable/c/a77fc4acfd49fc6076e565445b2bc5fdc3244da4","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/f0e5311aa8022107d63c54e2f03684ec097d1394","name":"https://git.kernel.org/stable/c/f0e5311aa8022107d63c54e2f03684ec097d1394","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/9b1ca33ebd05b3acef5b976c04e5e791af93ce1b","name":"https://git.kernel.org/stable/c/9b1ca33ebd05b3acef5b976c04e5e791af93ce1b","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html","name":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/28f1cd94d3f1092728fb775a0fe26c5f1ac2ebeb","name":"https://git.kernel.org/stable/c/28f1cd94d3f1092728fb775a0fe26c5f1ac2ebeb","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-47742","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47742","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected abb139e75c2cdbb955e840d6331cb5863e409d0e d1768e5535d3ded59f888637016e6f821f4e069f git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected abb139e75c2cdbb955e840d6331cb5863e409d0e 9b1ca33ebd05b3acef5b976c04e5e791af93ce1b git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected abb139e75c2cdbb955e840d6331cb5863e409d0e c30558e6c5c9ad6c86459d9acce1520ceeab9ea6 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected abb139e75c2cdbb955e840d6331cb5863e409d0e a77fc4acfd49fc6076e565445b2bc5fdc3244da4 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected abb139e75c2cdbb955e840d6331cb5863e409d0e 3d2411f4edcb649eaf232160db459bb4770b5251 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected abb139e75c2cdbb955e840d6331cb5863e409d0e 7420c1bf7fc784e587b87329cc6dfa3dca537aa4 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected abb139e75c2cdbb955e840d6331cb5863e409d0e 28f1cd94d3f1092728fb775a0fe26c5f1ac2ebeb git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected abb139e75c2cdbb955e840d6331cb5863e409d0e 6c4e13fdfcab34811c3143a0a03c05fec4e870ec git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected abb139e75c2cdbb955e840d6331cb5863e409d0e f0e5311aa8022107d63c54e2f03684ec097d1394 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3.7","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 3.7 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 4.19.323 4.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.4.285 5.4.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.227 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.168 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.113 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.54 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.10.13 6.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.11.2 6.11.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2024","cve_id":"47742","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"11.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2024","cve_id":"47742","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2024-47742","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2024-10-21T12:59:04.060717Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2024-10-21T13:04:14.368Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"},{"providerMetadata":{"dateUpdated":"2025-11-03T22:21:38.407Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"}],"title":"CVE Program Container"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/base/firmware_loader/main.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"d1768e5535d3ded59f888637016e6f821f4e069f","status":"affected","version":"abb139e75c2cdbb955e840d6331cb5863e409d0e","versionType":"git"},{"lessThan":"9b1ca33ebd05b3acef5b976c04e5e791af93ce1b","status":"affected","version":"abb139e75c2cdbb955e840d6331cb5863e409d0e","versionType":"git"},{"lessThan":"c30558e6c5c9ad6c86459d9acce1520ceeab9ea6","status":"affected","version":"abb139e75c2cdbb955e840d6331cb5863e409d0e","versionType":"git"},{"lessThan":"a77fc4acfd49fc6076e565445b2bc5fdc3244da4","status":"affected","version":"abb139e75c2cdbb955e840d6331cb5863e409d0e","versionType":"git"},{"lessThan":"3d2411f4edcb649eaf232160db459bb4770b5251","status":"affected","version":"abb139e75c2cdbb955e840d6331cb5863e409d0e","versionType":"git"},{"lessThan":"7420c1bf7fc784e587b87329cc6dfa3dca537aa4","status":"affected","version":"abb139e75c2cdbb955e840d6331cb5863e409d0e","versionType":"git"},{"lessThan":"28f1cd94d3f1092728fb775a0fe26c5f1ac2ebeb","status":"affected","version":"abb139e75c2cdbb955e840d6331cb5863e409d0e","versionType":"git"},{"lessThan":"6c4e13fdfcab34811c3143a0a03c05fec4e870ec","status":"affected","version":"abb139e75c2cdbb955e840d6331cb5863e409d0e","versionType":"git"},{"lessThan":"f0e5311aa8022107d63c54e2f03684ec097d1394","status":"affected","version":"abb139e75c2cdbb955e840d6331cb5863e409d0e","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/base/firmware_loader/main.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"3.7"},{"lessThan":"3.7","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"4.19.*","status":"unaffected","version":"4.19.323","versionType":"semver"},{"lessThanOrEqual":"5.4.*","status":"unaffected","version":"5.4.285","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.227","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.168","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.113","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.54","versionType":"semver"},{"lessThanOrEqual":"6.10.*","status":"unaffected","version":"6.10.13","versionType":"semver"},{"lessThanOrEqual":"6.11.*","status":"unaffected","version":"6.11.2","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"6.12","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"4.19.323","versionStartIncluding":"3.7","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.4.285","versionStartIncluding":"3.7","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.227","versionStartIncluding":"3.7","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.168","versionStartIncluding":"3.7","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.113","versionStartIncluding":"3.7","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.54","versionStartIncluding":"3.7","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.10.13","versionStartIncluding":"3.7","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.11.2","versionStartIncluding":"3.7","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12","versionStartIncluding":"3.7","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware_loader: Block path traversal\n\nMost firmware names are hardcoded strings, or are constructed from fairly\nconstrained format strings where the dynamic parts are just some hex\nnumbers or such.\n\nHowever, there are a couple codepaths in the kernel where firmware file\nnames contain string components that are passed through from a device or\nsemi-privileged userspace; the ones I could find (not counting interfaces\nthat require root privileges) are:\n\n - lpfc_sli4_request_firmware_update() seems to construct the firmware\n   filename from \"ModelName\", a string that was previously parsed out of\n   some descriptor (\"Vital Product Data\") in lpfc_fill_vpd()\n - nfp_net_fw_find() seems to construct a firmware filename from a model\n   name coming from nfp_hwinfo_lookup(pf->hwinfo, \"nffw.partno\"), which I\n   think parses some descriptor that was read from the device.\n   (But this case likely isn't exploitable because the format string looks\n   like \"netronome/nic_%s\", and there shouldn't be any *folders* starting\n   with \"netronome/nic_\". The previous case was different because there,\n   the \"%s\" is *at the start* of the format string.)\n - module_flash_fw_schedule() is reachable from the\n   ETHTOOL_MSG_MODULE_FW_FLASH_ACT netlink command, which is marked as\n   GENL_UNS_ADMIN_PERM (meaning CAP_NET_ADMIN inside a user namespace is\n   enough to pass the privilege check), and takes a userspace-provided\n   firmware name.\n   (But I think to reach this case, you need to have CAP_NET_ADMIN over a\n   network namespace that a special kind of ethernet device is mapped into,\n   so I think this is not a viable attack path in practice.)\n\nFix it by rejecting any firmware names containing \"..\" path components.\n\nFor what it's worth, I went looking and haven't found any USB device\ndrivers that use the firmware loader dangerously."}],"providerMetadata":{"dateUpdated":"2026-05-11T20:39:52.617Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/d1768e5535d3ded59f888637016e6f821f4e069f"},{"url":"https://git.kernel.org/stable/c/9b1ca33ebd05b3acef5b976c04e5e791af93ce1b"},{"url":"https://git.kernel.org/stable/c/c30558e6c5c9ad6c86459d9acce1520ceeab9ea6"},{"url":"https://git.kernel.org/stable/c/a77fc4acfd49fc6076e565445b2bc5fdc3244da4"},{"url":"https://git.kernel.org/stable/c/3d2411f4edcb649eaf232160db459bb4770b5251"},{"url":"https://git.kernel.org/stable/c/7420c1bf7fc784e587b87329cc6dfa3dca537aa4"},{"url":"https://git.kernel.org/stable/c/28f1cd94d3f1092728fb775a0fe26c5f1ac2ebeb"},{"url":"https://git.kernel.org/stable/c/6c4e13fdfcab34811c3143a0a03c05fec4e870ec"},{"url":"https://git.kernel.org/stable/c/f0e5311aa8022107d63c54e2f03684ec097d1394"}],"title":"firmware_loader: Block path traversal","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2024-47742","datePublished":"2024-10-21T12:14:10.499Z","dateReserved":"2024-09-30T16:00:12.959Z","dateUpdated":"2026-05-11T20:39:52.617Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2024-10-21 13:15:04","lastModifiedDate":"2026-05-12 19:07:08","problem_types":["CWE-22"],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*","matchCriteriaId":"FA6FEEC2-9F11-4643-8827-749718254FED"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.7","versionEndExcluding":"4.19.323","matchCriteriaId":"02E209D0-429E-482D-972E-CBF56B5FB05A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"5.4.285","matchCriteriaId":"B5A89369-320F-47FC-8695-56F61F87E4C0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5","versionEndExcluding":"5.10.227","matchCriteriaId":"795A3EE6-0CAB-4409-A903-151C94ACECC0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.168","matchCriteriaId":"4D51C05D-455B-4D8D-89E7-A58E140B864C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.113","matchCriteriaId":"D01BD22E-ACD1-4618-9D01-6116570BE1EE"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.54","matchCriteriaId":"D448821D-C085-4CAF-88FA-2DDE7BE21976"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.10.13","matchCriteriaId":"CE94BB8D-B0AB-4563-9ED7-A12122B56EBE"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.11","versionEndExcluding":"6.11.2","matchCriteriaId":"AB755D26-97F4-43B6-8604-CD076811E181"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2024","CveId":"47742","Ordinal":"1","Title":"firmware_loader: Block path traversal","CVE":"CVE-2024-47742","Year":"2024"},"notes":[{"CveYear":"2024","CveId":"47742","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware_loader: Block path traversal\n\nMost firmware names are hardcoded strings, or are constructed from fairly\nconstrained format strings where the dynamic parts are just some hex\nnumbers or such.\n\nHowever, there are a couple codepaths in the kernel where firmware file\nnames contain string components that are passed through from a device or\nsemi-privileged userspace; the ones I could find (not counting interfaces\nthat require root privileges) are:\n\n - lpfc_sli4_request_firmware_update() seems to construct the firmware\n   filename from \"ModelName\", a string that was previously parsed out of\n   some descriptor (\"Vital Product Data\") in lpfc_fill_vpd()\n - nfp_net_fw_find() seems to construct a firmware filename from a model\n   name coming from nfp_hwinfo_lookup(pf->hwinfo, \"nffw.partno\"), which I\n   think parses some descriptor that was read from the device.\n   (But this case likely isn't exploitable because the format string looks\n   like \"netronome/nic_%s\", and there shouldn't be any *folders* starting\n   with \"netronome/nic_\". The previous case was different because there,\n   the \"%s\" is *at the start* of the format string.)\n - module_flash_fw_schedule() is reachable from the\n   ETHTOOL_MSG_MODULE_FW_FLASH_ACT netlink command, which is marked as\n   GENL_UNS_ADMIN_PERM (meaning CAP_NET_ADMIN inside a user namespace is\n   enough to pass the privilege check), and takes a userspace-provided\n   firmware name.\n   (But I think to reach this case, you need to have CAP_NET_ADMIN over a\n   network namespace that a special kind of ethernet device is mapped into,\n   so I think this is not a viable attack path in practice.)\n\nFix it by rejecting any firmware names containing \"..\" path components.\n\nFor what it's worth, I went looking and haven't found any USB device\ndrivers that use the firmware loader dangerously.","Type":"Description","Title":"firmware_loader: Block path traversal"}]}}}