Cyber Resilience

CVE-2024-42861

High

Published: 23 September 2024

Published
23 September 2024
Modified
18 March 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.3190 96.9th percentile
Risk Priority 34 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-42861 is a high-severity an unspecified weakness vulnerability in Linuxptp Project Linuxptp. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 3.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-42861 is a denial-of-service vulnerability in linuxptp versions 4.2 and earlier that implement the IEEE 802.1AS Precision Time Protocol. The flaw resides in the time synchronization function and can be triggered by a crafted Pdelay_Req message, producing a CVSS 7.5 rating driven solely by network-reachable availability impact.

A remote attacker with no credentials or user interaction can send the malicious Pdelay_Req packet to an affected ptp daemon, disrupting clock synchronization across the 802.1AS domain and causing loss of precise timekeeping without affecting data confidentiality or integrity.

The single reference URL points to a GitHub repository associated with the CVE; no vendor advisory, patch information, or mitigation guidance is supplied in the available data. The EPSS score stands at 0.3190 with an identical peak value, indicating no material post-disclosure rise in observed exploitation interest.

EU & UK References

Vulnerability details

An issue in IEEE 802.1AS linuxptp v.4.2 and before allowing a remote attacker to cause a denial of service via a crafted Pdelay_Req message to the time synchronization function

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The vulnerability enables a remote attacker on the same Ethernet network to send crafted Pdelay_Req messages, disabling the time synchronization function and causing endpoint denial of service via application exploitation in linuxptp.

Affected Assets

linuxptp project
linuxptp
≤ 4.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References