CVE-2024-39495: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-39495 is a use-after-free vulnerability discovered in the Linux kernel's greybus subsystem. The vulnerability specifically affects the gbinterfacerelease function due to a race condition. The issue was identified and disclosed in July 2024, affecting multiple versions of the Linux kernel up to versions 5.4.279, 5.10.221, 5.15.162, 6.1.95, and 6.6.35 (NVD).

The vulnerability occurs in the gbinterfacerelease function where a race condition can lead to a use-after-free error. The issue arises when gbinterfacecreate binds intf->modeswitchcompletion with gbinterfacemodeswitchwork, which is then started by gbinterfacerequestmodeswitch. If gbinterfacerelease is called for cleanup while there is an unfinished work, the object 'intf' may be freed while gbinterfacemodeswitchwork is still attempting to use it. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability could allow a privileged local attacker to potentially achieve high levels of confidentiality, integrity, and availability impacts on the affected system. The high CVSS score of 7.8 indicates that successful exploitation could lead to significant system compromise (NVD).

The vulnerability has been patched by adding a call to cancelworksync(&intf->modeswitchwork) before freeing the interface object in gbinterfacerelease. This ensures that any pending work is properly canceled before the object is freed. Users should update their Linux kernel to the latest patched version (Kernel Patch).