CVE-2024-40909: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-40909 is a use-after-free vulnerability discovered in the Linux kernel's BPF subsystem. The vulnerability was identified in the bpflinkfree() function and affects Linux kernel versions from 6.6.26 up to 6.6.35, versions from 6.9 up to 6.9.6, and versions 6.10-rc1 and 6.10-rc2. The issue was discovered and reported by syzbot in June 2024 (Kernel Patch).

The vulnerability occurs in the bpflinkfree() function where after commit 1a80dbcb2dba, bpflink can be freed by link->ops->deallocdeferred, but the code still tests and uses link->ops->dealloc afterward, leading to a use-after-free condition. The issue has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability could allow a local attacker with limited privileges to potentially execute arbitrary code, cause a denial of service through system crash, or escalate privileges on affected systems. The high CVSS score indicates significant potential impact on the confidentiality, integrity, and availability of the affected system (NVD).

The vulnerability has been fixed in the Linux kernel through a patch that ensures only one deallocation method is called instead of both. The fix adds a WARNON() check to prevent problematic implementations and modifies the bpflink_free() function to properly handle deallocation (Kernel Patch).