CVE-2024-36476: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-36476 affects the Linux kernel's RDMA/rtrs subsystem. The vulnerability was discovered in January 2025 and involves an accessibility issue with the 'ib_sge list' variable in the RDMA/rtrs server functionality. The issue affects various Linux distributions including Ubuntu 24.04 LTS, 22.04 LTS, and multiple kernel versions (Ubuntu Security).

The vulnerability stems from a variable scope issue where the 'ib_sge list' variable was incorrectly declared within an 'always_invalidate' block, limiting its accessibility throughout the function. This implementation error could lead to a kernel NULL pointer dereference, as evidenced by the stack trace in the kernel logs. The issue was traced back to the original RDMA/rtrs server functionality implementation (Kernel Commit).

When triggered, the vulnerability results in a kernel NULL pointer dereference, which can cause system crashes and potential denial of service conditions. The issue specifically affects systems utilizing the RDMA/rtrs subsystem in the Linux kernel (Ubuntu Security).

The issue has been fixed by moving the declaration of the 'ib_sge list' variable outside the 'always_invalidate' block, ensuring it remains accessible throughout the function. This fix has been implemented in various kernel versions and is being distributed through distribution-specific updates (Ubuntu Security).