CVE-2024-56621

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A vulnerability has been resolved in the Linux kernel. The issue is related to the scsi: ufs: core, where the RTC work is not cancelled during ufshcd remove(), leading to a NULL pointer dereference. This occurs because the RTC work accesses the ufshcd internal structures and should be cancelled when ufshcd is removed. The vulnerability can result in a kernel NULL pointer dereference at a virtual address.

Recommendations To resolve the issue, cancel the RTC work during ufshcd remove(), following the order in ufshcd init(). As a temporary workaround, consider disabling the ufshcd rtc work function until a patch is available. Restrict access to the ufshcd internal structures to minimize the risk of exploitation. Avoid triggering the RTC work after ufshcd remove() until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.