CVE-2024-45769: 
Rocky Linux vulnerability analysis and mitigation

A vulnerability (CVE-2024-45769) was discovered in Performance Co-Pilot (PCP), a suite of tools for system-level performance measurements. The vulnerability was disclosed on September 19, 2024. The flaw allows an attacker to send specially crafted data to the system, which could cause the program to misbehave or crash (NVD, Red Hat CVE).

The vulnerability exists in the PCP libpcp __pmDecodeValueSet routine which mishandles size checks in the Result PDU. When the pmcd metric store operation is enabled, this can allow heap corruption through maliciously crafted PDUs. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

If exploited, this vulnerability could allow an attacker to cause heap corruption in the calling program through specially crafted data, potentially leading to program crashes or misbehavior. The impact is primarily on the availability of the system, with no direct impact on confidentiality or integrity (Bugzilla).

Red Hat has released security updates to address this vulnerability across multiple versions of Red Hat Enterprise Linux. Users are advised to update their PCP packages to the latest versions available through the security advisories RHSA-2024:6837, RHSA-2024:6840, RHSA-2024:6842, RHSA-2024:6843, RHSA-2024:6844, RHSA-2024:6846, RHSA-2024:6847, and RHSA-2024:6848 (Red Hat CVE).