CVE-2024-40986: 
Linux Debian vulnerability analysis and mitigation

CVE-2024-40986 is a vulnerability in the Linux kernel's DMA engine, specifically affecting the Xilinx XDMA driver. The issue was discovered and disclosed on July 12, 2024, involving data synchronization problems in the xdmachannelisr() function. The vulnerability affects various Linux kernel versions and has been addressed in kernel version 6.9.7 and 6.10-rc5 (Kernel Git).

The vulnerability stems from improper data synchronization in the xdmachannelisr() function within the Xilinx XDMA driver. The issue specifically relates to the timing of acquiring the vchan lock before accessing xdma->stop_request. The vulnerability has been assigned a CVSS v3.1 score of 5.1 (AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H) and is categorized under CWE-820 (Red Hat).

The vulnerability could potentially lead to race conditions during interrupt handling in XDMA channels. While the confidentiality impact is rated as none, there is a low impact on integrity and a high impact on availability according to the CVSS metrics (Red Hat).

The vulnerability has been fixed in Linux kernel version 6.9.7 and 6.10-rc5. The fix involves modifying the xdmachannelisr() function to acquire the vchan lock before using xdma->stop_request. Various Linux distributions have released patches, including Ubuntu which has fixed the issue in versions 24.04 LTS (noble) and 22.04 LTS (jammy) (Ubuntu).