CVE-2024-53092

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.11.0-rc5

Description A kernel NULL pointer dereference bug has been resolved in the Linux kernel. The issue occurs in the virtio pci module, specifically in the vp modern avq cleanup() and vp del vqs() functions, which clean up admin vq resources using the incorrect info pointer. The correct info pointer is stored in vp dev->admin vq.info instead of vp dev->vqs[]. This bug causes a kernel NULL pointer dereference when vp reset calls vp modern avq cleanup(). The estimated number of potentially affected devices and details about real-world incidents are not provided.

Recommendations For Linux kernel versions prior to 6.11.0-rc5, update to a newer version to resolve the issue. As a temporary workaround, consider restricting access to the virtio pci module to minimize the risk of exploitation. Avoid using the vp reset function until the issue is resolved. Additionally, consider disabling the vp modern avq cleanup() and vp del vqs() functions until a patch is available.