CVE-2024-40981: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-40981 affects the Linux kernel's batman-adv (Batman Advanced) component, specifically in the batadv_purge_orig_ref() function. The vulnerability was discovered and reported on July 12, 2024, and affects multiple versions of the Linux kernel from versions prior to 4.19.317 up through versions prior to 6.9.7 (NVD).

The vulnerability manifests as a soft lockup condition in the batadv_purge_orig_ref() function of the Batman Advanced networking protocol implementation. The issue occurs during the processing of hash buckets, where the CPU can become stuck for extended periods. The CVSS v3.1 base score is 5.5 (MEDIUM) with a vector string of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, while the CVSS v4.0 score is 4.8 with vector string CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L (NVD).

The vulnerability can lead to a denial of service condition through CPU soft lockups, potentially affecting system availability. The issue specifically impacts the Batman Advanced mesh networking functionality in the Linux kernel (NVD).

A patch has been developed and merged into the Linux kernel that bypasses empty buckets in the batadv_purge_orig_ref() function to prevent the soft lockup condition. The fix has been backported to multiple stable kernel versions. Users should update to patched kernel versions: 4.19.317 or later, 5.4.279 or later, 5.10.221 or later, 5.15.162 or later, 6.1.96 or later, 6.6.36 or later, or 6.9.7 or later (NVD).