CVE-2024-50061

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.58

Description The issue is related to a use-after-free vulnerability in the cdns i3c master driver due to a race condition. This vulnerability can be exploited to impact the confidentiality, integrity, and availability of protected information. The vulnerability occurs when the cdns i3c master remove function is called, which frees the master->base resource, but the cdns i3c master hj work is still bound to it and can be used by the i3c master do daa function, leading to a use-after-free bug.

Recommendations To resolve the issue, ensure that the work is canceled before proceeding with the cleanup in cdns i3c master remove. Update to Linux kernel version 6.6.58 or later, which includes the fix for this vulnerability. As a temporary workaround, consider disabling the cdns i3c master driver until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation. Avoid using the master->base resource in the affected API endpoints until the issue is resolved.