CVE-2024-24864: 
Linux Debian vulnerability analysis and mitigation

A race condition vulnerability (CVE-2024-24864) was discovered in the Linux kernel's media/dvb-core subsystem, specifically in the dvbdmx_write() function. The vulnerability was reported on February 4, 2024, by researchers from the School of Cyberspace Security at Beihang University. This security flaw affects Linux kernel versions up to 2.6.11, and versions from 6.0 up to 6.7.2, including version 6.8-rc1 (NVD).

The vulnerability stems from a race condition in the dvbdmx_write() function where the demux->frontend pointer is checked for null without proper synchronization. After checking the pointer's validity, but before dereferencing it, there's a window where other threads could set the pointer to null through functions like dvbdmx_disconnect_frontend, potentially leading to a null pointer dereference. The vulnerability has been assigned a CVSS v3.1 base score of 4.7 (Medium) with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD, OpenAnolis Bug).

When exploited, this vulnerability can result in a kernel panic, leading to system suspension and a denial of service condition. The impact is particularly significant as the affected module is compiled directly into the kernel (OpenAnolis Bug).

A fix has been proposed that involves protecting the demux->frontend null check and dereference operations with dvbdemux->mutex to prevent concurrent nullification. The patch has been submitted to the Linux Kernel Media subsystem maintainers (OpenAnolis Bug).