CVE-2024-36899: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-36899 is a use-after-free vulnerability discovered in the Linux kernel's GPIO (General Purpose Input/Output) subsystem. The vulnerability was first disclosed on May 30, 2024, affecting Linux kernel versions from 5.7 through 6.6.31, and versions 6.7 through 6.8.10, as well as various release candidates of version 6.9 (NVD).

The vulnerability occurs in the GPIO character device driver when closing a device file. During the gpiochrdevrelease() function execution, the watchedlines bitmap is freed before the unregistration of the lineinfochangednb notifier chain. This creates a race condition where the watchedlines memory can be accessed after being freed, due to a waiting write rwsem while another GPIO chip's line holds the notifier chain's read rwsem (Kernel Patch). The vulnerability has been assigned a CVSS v3.1 base score of 7.0 (High), with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

While the vulnerability results in a use-after-free condition that generates an incorrect GPIO line event for userspace, the actual impact is limited because the character device is being closed at the time of the event generation, preventing userspace from reading the erroneous event (Kernel Patch).

The issue has been fixed by modifying the order of operations in the gpiochrdevrelease() function, ensuring that bitmapfree() is called after the unregistration of the lineinfochanged_nb notifier chain. This fix has been incorporated into various Linux kernel versions through security updates (Red Hat).