CVE-2024-10604

Identifiable Header Values In Fuchsia Leading To Tracking of The User

CVSS 6.9 MEDIUMEPSS 0.2%CWE-330

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 6.9EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

30 Jan 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Vulnerabilities in the algorithms used by Fuchsia to populate network protocol header fields, specifically the TCP ISN, TCP timestamp, TCP and UDP source ports, and IPv4/IPv6 fragment ID allow for these values to be guessed under circumstances

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Affected products

Google · Fuchsia

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://fuchsia.googlesource.com/fuchsia/+/40e7fbcdcd013441daf4492f1ead349a9e5b80dc https://fuchsia.googlesource.com/fuchsia/+/a3c17a4d6b3140f9175d6cf6ac4eb4e775f8dea8 https://www.ndss-symposium.org/wp-content/uploads/2025-122-paper.pdf