CVE-2024-0639: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-0639 is a denial of service vulnerability discovered in the Linux kernel's SCTP subsystem, specifically in the sctp_auto_asconf_init function within net/sctp/socket.c. The vulnerability was disclosed on January 17, 2024, and affects Linux kernel versions up to 6.4.16. This flaw allows local users with guest privileges to trigger a deadlock condition that could potentially crash the system (NVD, CVE).

The vulnerability stems from improper locking mechanisms in the SCTP subsystem. The issue occurs due to a potential deadlock scenario on the net->sctp.addr_wq_lock, where the same lock is acquired by both the timer sctp_addr_wq_timeout_handler() in protocol.c and sctp_auto_asconf_init() called from sctp_accept() under process context. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD, GitHub Commit).

The vulnerability can result in a denial of service condition through a system crash caused by a kernel deadlock. The impact is limited to availability, with no direct effects on confidentiality or integrity. The flaw requires local user access to exploit, making it a significant concern for multi-user and virtualized environments (NVD).

The vulnerability has been fixed in Linux kernel 6.5-rc1 through a patch that modifies the locking mechanism to use spin_lock_bh() instead of spin_lock(). Major Linux distributions have released patches for their supported versions, including Ubuntu 22.04 LTS (5.15.0-86.96), 20.04 LTS (5.4.0-166.183), and 18.04 LTS (4.15.0-224.236). Users are advised to update their systems to the patched versions (Ubuntu Security, GitHub Commit).