Is proxmox affected by CVE-2024-1086?

[joseE]

Hi, due to the recent update of CVE-2024-1086, I've been trying to figure out if the proxmox kernel would be affected as well. Based only on versioning I would say it is, but I know there are major differences with the standard Kernel used by Debian. So here are my questions:

1. Is the pve kernel affected?
2. If so, which versions?
3. When should we expect a patch or update to mitigate the vulnerability?

If this information has been already published or posted somewhere else, please point me in that direction because I didn't found it.

Thanks in advance!

 

[sterzy]

We base our kernel on the Ubuntu kernel. The exploits GitHub page states the following [1]:

The exploit does not work v6.4> kernels with kconfig CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y (including Ubuntu v6.5)

The Ubuntu Repo seems to take the settings from Debian itself here [2]. We don't alter this option. So it should be set on your machine. You can easily check if that's the case with this command: cat /boot/config-$(uname -r) | grep CONFIG_INIT_ON_ALLOC_DEFAULT_ON.

[1]: https://github.com/Notselwyn/CVE-2024-1086
[2]: https://git.launchpad.net/~ubuntu-k.../tree/debian.master/config/annotations#n14162

 

[joseE]

Thank you for the quick response, that's the answer I was looking for!!

 

[emunt6]

https://security-tracker.debian.org/tracker/CVE-2024-1086