CVE-2024-43873: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-43873 affects the Linux kernel's vhost/vsock subsystem. The vulnerability was discovered in August 2024 and involves uninitialized seqpacket_allow variable issues. The vulnerability affects Linux kernel versions from 5.14 up to (excluding) 5.15.165, from 5.16 up to (excluding) 6.1.103, from 6.2 up to (excluding) 6.6.44, and from 6.7 up to (excluding) 6.10.3 (NVD).

The vulnerability stems from two specific issues in the vhost/vsock subsystem: 1) The seqpacket_allow variable is not initialized when a socket is created, potentially leading to reading uninitialized values, and 2) When VIRTIO_VSOCK_F_SEQPACKET is set and then cleared, the seqpacket_allow is not cleared appropriately. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD, Kernel Patch).

The vulnerability could potentially lead to privilege escalation, denial of service, or information leaks in affected systems. The high CVSS score indicates significant potential impact on the confidentiality, integrity, and availability of the system (NVD).

The vulnerability has been fixed by initializing seqpacket_allow after allocation and setting it unconditionally in set_features. The fix has been implemented in various kernel versions through patches. Ubuntu has released fixes for affected versions including 24.04 LTS (6.8.0-50.51), 22.04 LTS (5.15.0-125.135), and others (Ubuntu).