CVE-2024-56617

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.74

Description A vulnerability in the Linux kernel has been resolved, where memory for cacheinfo is not allocated during CPU hotplug if not done from the primary CPU. This can lead to a NULL pointer dereference in the last level cache is valid() function. The issue occurs because some architectures, such as x86, do not use the early build functionality for cacheinfo. As a result, during the cacheinfo CPU hotplug callback, the last level cache is valid() function attempts to dereference a NULL pointer. The vulnerability can also cause issues in the update per cpu data slice size() function, which iterates over all online CPUs.

Recommendations To resolve the issue, update to Linux kernel version 6.6.74 or later. As a temporary workaround, consider disabling the last level cache is valid() function until a patch is available. Restrict access to the update per cpu data slice size() function to minimize the risk of exploitation. Avoid using the cache leaves() variable in the affected API endpoint until the issue is resolved.