CVE-2024-38632: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-38632 is a memory leak vulnerability discovered in the Linux kernel's VFIO/PCI subsystem. The issue specifically affects the vfiointxenable() function, where a failure in vfioirqctx_alloc() can lead to a memory leak of the 'name' variable. This vulnerability affects Linux kernel versions from 6.6.24 up to (excluding) 6.6.33 and from 6.9 up to (excluding) 6.9.4 (NVD).

The vulnerability stems from a missing cleanup in the error handling path of the vfiointxenable() function. When vfioirqctx_alloc() fails, the previously allocated 'name' memory is not properly freed, resulting in a memory leak. The issue was introduced in commit 18c198c96a81 ("vfio/pci: Create persistent INTx handler"). The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium), with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability results in a memory leak condition that could lead to resource exhaustion over time. While the impact is limited to availability concerns (no confidentiality or integrity impacts), the leak occurs in kernel memory space which could potentially affect system stability and performance (NVD).

The vulnerability has been fixed in the Linux kernel through a patch that properly frees the 'name' variable in the error path. The fix has been backported to affected stable kernel versions. Users are advised to update to patched kernel versions: 6.6.33 or later for the 6.6.x series, and 6.9.4 or later for the 6.9.x series. The fix involves adding proper cleanup code in the error handling path of vfiointxenable() (Kernel Patch).