Weak Hashing Algorithm in Google gVisor Exposes Device Tracking Risks
CVE-2024-10026

6.3MEDIUM

Key Information:

Vendor: Google
Status: Gvisor
Vendor: CVE Published:; 30 January 2025

What is CVE-2024-10026?

A vulnerability in Google's gVisor arises from the use of a weak hashing algorithm combined with small sizes of seeds and secrets. This flaw allows remote attackers to potentially calculate a local IP address and generate a per-boot identifier, which can be exploited to track devices under specific conditions. As a result, the integrity and privacy of user sessions may be compromised, highlighting the need for enhanced security measures in gVisor's design.

Affected Version(s)

gVisor Release 20241028.0

References

https://github.com/google/gvisor/commit/f956b5ac17ae1f60a...

https://github.com/google/gvisor/commit/e54bfde79278cafad...

https://github.com/google/gvisor/commit/83f75082e5b03fafc...

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 30, 2025
Vulnerability Reserved
Oct 16, 2024