gVisor Weak Hashing Enables IP & BootID Leakage
CVE-2024-10026 Published on January 30, 2025

Improved Seeding and Hashing In gVisor
A weak hashing algorithm and small sizes of seeds/secrets in Google's gVisor allowed for a remote attacker to calculate a local IP address and a per-boot identifier that could aid in tracking of a device in certain circumstances.

NVD

Weakness Types

Reversible One-Way Hash

The product uses a hashing algorithm that produces a hash value that can be used to determine the original input, or to find an input that can produce the same hash, more efficiently than brute force techniques. This weakness is especially dangerous when the hash is used in security algorithms that require the one-way property to hold. For example, if an authentication system takes an incoming password and generates a hash, then compares the hash to another hash that it has stored in its authentication database, then the ability to create a collision could allow an attacker to provide an alternate password that produces the same target hash, bypassing authentication.

Small Seed Space in PRNG

A PRNG uses a relatively small space of seeds.


Products Associated with CVE-2024-10026

Want to know whenever a new CVE is published for Google Gvisor? stack.watch will email you.

Google Gvisor
 

Affected Versions

Google gVisor Version Release 20241028.0 is unaffected by CVE-2024-10026

Exploit Probability

EPSS
0.07%
Percentile
21.54%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.