CVE-2024-49946

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.6.58

Description: A vulnerability has been resolved in the Linux kernel where the ppp channel bridge input() function did not consider the case when the socket lock is acquired and packets are stored in the socket backlog. This could lead to inconsistent lock state and potential deadlocks. The networking receive path is usually handled from BH handler, but some protocols need to acquire the socket lock, and packets might be stored in the socket backlog if the socket was owned by a user process.

Recommendations: To resolve the issue, update the Linux kernel to version 6.6.58 or later. As a temporary workaround, consider disabling the ppp channel bridge input() function until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation. Avoid using the sk backlog rcv() handler in process context until the issue is resolved.