CVE-2024-41098

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.10.0-rc5

Description A null pointer dereference vulnerability has been resolved in the Linux kernel. The issue occurs when the ata port alloc() call in ata host alloc() fails, causing ata host release() to be called. However, the code in ata host release() tries to free ata port struct members unconditionally, leading to a page fault error. This can result in a system crash or potentially allow an attacker to execute arbitrary code.

Recommendations To resolve this issue, update the Linux kernel to a version later than 6.10.0-rc5. As a temporary workaround, consider disabling the ata host release() function until a patch is available. Restrict access to the libata module to minimize the risk of exploitation. Avoid using the ata port alloc() and ata host alloc() functions in combination until the issue is resolved. Apply configuration changes to prevent the ata host release() function from being called unnecessarily.