CVE-2024-39507: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-39507 affects the Linux kernel's HNS3 network driver. The vulnerability was discovered in July 2024 and involves a kernel crash issue in concurrent scenarios. Specifically, when the link status changes, the NIC driver needs to notify the RoCE driver to handle the event, but if the RoCE driver is uninitialized during this process, it can cause a kernel crash (NVD).

The vulnerability is caused by improper synchronization in the HNS3 driver's link status change handling. It has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The issue is classified as CWE-908 (Use of Uninitialized Resource). The vulnerability affects Linux kernel versions from 5.1 to 6.10-rc3, specifically versions 5.1 through 5.15.162, 5.16 through 6.1.95, 6.2 through 6.6.35, and 6.7 through 6.9.6 (NVD).

When exploited, this vulnerability can cause a kernel crash, leading to a denial of service condition. The impact is limited to local systems where the HNS3 network driver is in use, particularly affecting systems during link status changes when the RoCE driver is in an uninitialized state (NVD).

The vulnerability has been fixed in the Linux kernel through a patch that adds checks for RoCE driver registration status during link status changes and implements proper synchronization during driver uninitialization. The fix involves checking whether the RoCE is registered before notifying it of link status changes and waiting for link updates to finish during uninitialization (Kernel Patch).