CVE-2024-38608

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.5.0

Description The vulnerability is related to the net/mlx5e driver in the Linux kernel. It occurs when the mlx5e suspend function cleans resources only if netif device present() returns true, but mlx5e resume changes the state of netif via mlx5e nic enable only if reg state equals NETREG REGISTERED. This can lead to a NULL pointer dereference and memory leaks in certain cases. The issue arises when mlx5e probe calls mlx5e resume, which in turn calls mlx5e attach netdev and mlx5e nic enable. If register netdev fails, netif device present returns false, and resources are not freed, resulting in a memory leak.

Recommendations To resolve this issue, update the Linux kernel to a version that includes the fix for the net/mlx5e driver. Specifically, ensure that the kernel version is 6.5.0 or later, as this version includes the necessary patches to address the vulnerability. If updating the kernel is not feasible, consider applying the patch for the net/mlx5e driver to the existing kernel version to fix the issue.