CVE-2024-24860: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-24860 is a race condition vulnerability discovered in the Linux kernel's bluetooth device driver, specifically in the {min,max}_key_size_set() function. The vulnerability was reported on February 5, 2024, and affects Linux kernel versions up to 5.5.19 and from 6.0 to 6.7.2. This vulnerability can result in a null pointer dereference issue (NVD, Ubuntu).

The vulnerability occurs in the Bluetooth subsystem where the {min,max}key_size_set() function updates hdev->le{min,max}key_size parameters. The race condition exists because the function doesn't hold a lock while validating update parameters, allowing hdev->le{min,max}key_size to be modified between validation and update. This can lead to writing invalid le{min,max}_key_size values, potentially making le_max_key_size smaller than le_min_key_size. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability affects the Bluetooth component's encryption key length parameters. When exploited, it can cause abnormal Bluetooth encryption key lengths, potentially compromising Bluetooth encryption security. On Ubuntu systems, the vulnerability requires write access to debugfs entries, which are restricted to root by default. The primary impact is the possibility of a denial of service through system crash (Ubuntu, OpenAnolis).

A fix has been implemented by expanding the buffer zone and including the parameter validation code within the hci_dev_lock critical section. The patch has been accepted into the Linux Kernel Bluetooth subsystem. The fix is available through various distribution updates, including Ubuntu security updates for affected versions and Debian security patches (OpenAnolis, Debian).