CVE-2021-46905: 
Linux Kernel vulnerability analysis and mitigation

CVE-2021-46905 is a vulnerability discovered in the Linux kernel affecting the HSO (High Speed Option) USB driver. The issue was introduced when fixing a previous null pointer dereference during TTY device unregistration, but inadvertently created an unconditional NULL-pointer dereference on every disconnect operation. The vulnerability was publicly disclosed on February 26, 2024, and affects various Linux kernel versions (Red Hat Portal).

The vulnerability stems from a regression introduced by commit 8a12f8836145 which attempted to fix a racy minor allocation reported by syzbot. The fix created a new issue where the serial device table was being accessed after the minor had been released by hso_serial_tty_unregister(). The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local access is required and the primary impact is on system availability (Red Hat Portal).

The vulnerability affects system availability through a NULL pointer dereference that occurs during device disconnection. While there are no direct impacts on confidentiality or integrity, the flaw can lead to system crashes when exploited (Red Hat Portal).

The vulnerability has been fixed in various Linux kernel versions. Red Hat has released fixes for Enterprise Linux 8 through RHSA-2021:4140 and RHSA-2021:4356. Ubuntu has also provided fixes for affected versions including 20.04 LTS (focal) and 18.04 LTS (bionic) (Ubuntu Security, Red Hat Portal).