CVE-2024-49852

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.58

Description The issue is related to a use after free vulnerability in the efc nport vport del() function in the Linux kernel's SCSI component, specifically in the elx and libefc modules. This vulnerability may allow an attacker to impact the confidentiality, integrity, and availability of protected information. The vulnerability occurs when the kref put() function calls nport->release, which frees the "nport" memory, but then dereferences "nport" on the next line, resulting in a use after free.

Recommendations For Linux kernel versions prior to 6.6.58, update to version 6.6.58 or later to resolve the issue. As a temporary workaround, consider re-ordering the lines in the efc nport vport del() function to avoid the use after free, by calling the efc nport free() function after the refcount drops to zero, and then avoiding any further dereferences of the "nport" memory.