CVE-2024-0340: 
Linux Kernel vulnerability analysis and mitigation

A vulnerability was discovered in the Linux kernel's vhost_new_msg function located in drivers/vhost/vhost.c (CVE-2024-0340). The vulnerability was disclosed on January 9, 2024, and affects Linux kernel versions up to (excluding) 6.4. The flaw stems from improper memory initialization in messages passed between virtual guests and the host operating system (NVD, Red Hat).

The vulnerability exists in the vhost_new_msg function which fails to properly initialize memory in messages passed between virtual guests and the host operating system. The issue was fixed by replacing kmalloc() followed by memset() with kzalloc() to ensure proper memory initialization (Kernel Patch). The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD).

This vulnerability allows local privileged users to read kernel memory contents when accessing the /dev/vhost-net device file. The impact is limited to information disclosure without any ability to modify system data or execute code (NVD, Ubuntu).

The vulnerability has been fixed in Linux kernel version 6.4-rc6. Multiple distributions have released patches, including Red Hat Enterprise Linux 8 via RHSA-2024:3618 and RHSA-2024:3627, Debian 10 via DLA-3840-1 and DLA-3842-1. Users are advised to update their kernel to the latest patched version (Red Hat, Debian).