CVE-2024-39493: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-39493 is a memory leak vulnerability discovered in the Linux kernel's crypto QAT (Quick Assist Technology) driver. The vulnerability was identified in the ADFDEVRESETSYNC functionality, where using completiondone to determine whether the caller has gone away only works after a complete call. Additionally, there was a potential Use-After-Free (UAF) vulnerability when the caller has not yet called waitforcompletion (NVD).

The vulnerability exists in the Linux kernel's crypto QAT driver, specifically in the ADFDEVRESET_SYNC mechanism. The issue stems from improper memory management during device reset operations. The CVSS v3.1 base score is 5.5 (Medium), with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The vulnerability affects multiple Linux kernel versions including 4.19.312 through 4.19.316, 5.4.274 through 5.4.278, 5.10.215 through 5.10.219, 5.15.154 through 5.15.161, and others (NVD).

The vulnerability could lead to memory leaks and potential Use-After-Free conditions in the Linux kernel's crypto QAT driver. This could affect system stability and potentially lead to denial of service conditions (NVD).

The vulnerability has been fixed by modifying the code to use cancelworksync and then safely freeing the memory. The fix has been implemented in various Linux kernel versions and distributions. Ubuntu has released patches for affected versions including 24.04 LTS, 22.04 LTS, and 20.04 LTS (Ubuntu). Debian has also fixed the issue in bullseye (5.10.234-1) and bookworm (6.1.128-1) releases (Debian).