CVE-2024-39496: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-39496 is a use-after-free vulnerability discovered in the Linux kernel's BTRFS file system, specifically in the zoned device functionality. The vulnerability was disclosed on July 12, 2024, affecting Linux kernel versions up to 6.1.95, from 6.2 up to 6.6.35, and from 6.7 up to 6.9.6 (NVD).

The vulnerability occurs in the BTRFS zoned device functionality during the creation of a block group. The issue arises in the btrfsloadzone_info() function where a device is extracted from the chunk map into a local variable and used without proper protection from the device replace rwsem (read-write semaphore). This creates a race condition with device replace operations, potentially triggering a use-after-free on the device that was just replaced. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability could allow an attacker to potentially compromise the system through a use-after-free condition in the BTRFS file system. This could lead to privilege escalation, denial of service, or information leaks when exploited (Ubuntu).

The vulnerability has been fixed by enlarging the critical section under the protection of the device replace rwsem so that all uses of the device are done inside the critical section. The fix has been implemented in various Linux kernel versions and distributed through distribution-specific updates. Users are advised to update their systems to the patched versions (Kernel Patch).