CVE-2024-39487: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-39487 is a security vulnerability discovered in the Linux kernel's bonding driver, specifically in the bondoptionarpiptargets_set() function. The vulnerability was disclosed on July 9, 2024, and affects Linux kernel versions from 3.13 up to versions before 4.19.318, 5.4.280, 5.10.222, 5.15.163, 6.1.98, 6.6.39, and 6.9.9. The issue involves an out-of-bounds read vulnerability that occurs when processing empty strings in the ARP IP targets setting functionality (NVD).

The vulnerability exists in the bondoptionarpiptargets_set() function where if newval->string is an empty string, newval->string+1 will point to the byte after the string, causing an out-of-bounds read. This was confirmed through KASAN (Kernel Address Sanitizer) which detected a slab-out-of-bounds read in the strlen function at lib/string.c:418. The issue stems from insufficient input validation before accessing string data (Kernel Patch). The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H (NVD).

The vulnerability can lead to an out-of-bounds read condition, potentially allowing an attacker to read memory outside of intended boundaries. This could result in information disclosure or system crashes. The vulnerability requires local access and low privileges to exploit (NVD).

The vulnerability has been fixed by adding a check of string length before using it in the bondoptionarpiptargets_set() function. The fix has been implemented in various kernel versions through patches. Users should update their Linux kernel to the latest patched versions: 4.19.318, 5.4.280, 5.10.222, 5.15.163, 6.1.98, 6.6.39, or 6.9.9 or later (Kernel Patch).