CVE-2024-25739: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-25739 affects the Linux kernel through version 6.7.4. The vulnerability exists in the create_empty_lvol function within drivers/mtd/ubi/vtbl.c, where a missing check for ubi->leb_size can lead to an attempt to allocate zero bytes, resulting in a system crash (NVD, CVE).

The vulnerability occurs in the Unsorted Block Images (UBI) flash device volume management subsystem. The issue arises when the Logical Erase Block (LEB) size is smaller than a volume table record, causing the create_empty_lvol function to attempt a zero-byte allocation. This vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

When exploited, this vulnerability can cause a system crash due to the attempted zero-byte allocation, resulting in a denial of service condition. The impact is limited to availability, with no direct effects on confidentiality or integrity (Ubuntu).

The vulnerability has been fixed in the Linux kernel with commit 68a24aba7c593eafa8fd00f2f76407b9b32b47a9, which adds a check for LEB size in the VTBL code. The patch ensures that if the LEB size is smaller than a volume table record, the system will abort attaching instead of attempting a zero-byte allocation (Kernel Commit).