CVE-2023-52449: 
Linux Kernel vulnerability analysis and mitigation

CVE-2023-52449 is a NULL pointer dereference vulnerability discovered in the Linux kernel's MTD (Memory Technology Device) subsystem, specifically affecting the gluebi module when interacting with ftl.ko. The vulnerability was disclosed on February 22, 2024, and affects Linux kernel versions from 2.6.31 up to versions before 4.19.306, 5.4.268, 5.10.209, 5.15.148, and several other version ranges (NVD).

The vulnerability occurs when both ftl.ko and gluebi.ko modules are loaded, where the ftl notifier triggers a NULL pointer dereference when attempting to access 'gluebi->desc' in gluebi_read(). The issue arises because gluebi_get_device() is not executed in advance during the ftl_add_mtd() process. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to a denial of service (system crash) when exploited. The impact is limited to availability with no direct impact on confidentiality or integrity of the system (NVD).

The solution involves preventing gluebi from creating the mtdblock device after creating mtd partition of the type MTD_UBIVOLUME. The recommended approach is to run jffs2 on the UBI volume without considering working with ftl or mtdblock. Multiple Linux distributions have released patches to address this vulnerability, including Debian which has fixed it in version 5.10.209-2~deb10u1 (Debian LTS).