CVE-2024-0641: 
Linux Kernel vulnerability analysis and mitigation

A denial of service vulnerability (CVE-2024-0641) was discovered in the Linux kernel's TIPC (Transparent Inter-Process Communication) subsystem, specifically in the tipc_crypto_key_revoke function within net/tipc/crypto.c. The vulnerability was disclosed on January 17, 2024, and affects Linux kernel versions up to (excluding) 6.6 (NVD, Red Hat).

The vulnerability stems from improper locking mechanisms in the TIPC subsystem. The issue occurs because tipc_crypto_key_revoke() can be invoked by workqueue tipc_crypto_work_rx() under process context and timer/rx callback under softirq context, leading to potential deadlock situations when acquiring tx->lock. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

When exploited, this vulnerability allows local users with privileges to trigger a deadlock condition that could potentially crash the system, resulting in a denial of service. The impact is limited to availability, with no direct effect on confidentiality or integrity of the system (NVD, Red Hat).

The vulnerability has been fixed in Linux kernel version 6.6-rc5. The fix involves changing the lock acquisition method from spin_lock() to spin_lock_bh() to prevent the potential deadlock. The patch has been committed to the mainline kernel repository (GitHub).