CVE-2024-35904: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-35904 affects the Linux kernel's SELinux subsystem. The vulnerability was discovered in May 2024 and involves a potential NULL pointer dereference in the selinuxfs mount failure handling code. The issue affects Linux kernel versions from 4.17 up to (excluding) 6.6.26, and versions from 6.7 up to (excluding) 6.8.5, as well as release candidates 6.9-rc1 and 6.9-rc2 (NVD).

The vulnerability stems from improper error handling in the SELinux filesystem mount process. When kern_mount() fails and returns an error pointer, the code continues execution instead of properly handling the error, leading to a potential dereference of an invalid pointer. The issue was introduced by commit 0619f0f5e36f ("selinux: wrap selinuxfs state") and has been assigned a CVSS v3.1 Base Score of 5.5 (Medium) with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD, Kernel Patch).

The vulnerability can lead to a denial of service condition through a NULL pointer dereference in the SELinux subsystem. The impact is limited to availability, with no direct impact on confidentiality or integrity of the system (NVD).

The vulnerability has been fixed in multiple kernel versions through a patch that properly handles the error condition by returning immediately when kernmount() fails. The fix also removes an unused static variable selinuxfsmount. Updates are available for various Linux distributions, including Ubuntu versions 22.04 LTS (5.15.0-127.137), 20.04 LTS (5.4.0-202.222), and others (Ubuntu, Kernel Patch).