CVE-2024-40994: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-40994 is a vulnerability discovered in the Linux kernel affecting the PTP (Precision Time Protocol) subsystem. The issue was identified in the maxvclocksstore function where an integer overflow could occur on 32-bit systems during memory allocation calculations. The vulnerability was disclosed on July 12, 2024, and affects Linux kernel versions from 5.14 through 6.10-rc4 (NVD).

The vulnerability stems from an integer overflow condition in the maxvclocksstore function within the PTP subsystem. Specifically, on 32-bit systems, the calculation '4 * max' used for memory allocation could overflow. The issue was fixed by replacing the vulnerable kzalloc() call with kcalloc() to properly handle the allocation and prevent the overflow condition. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability could potentially lead to memory corruption on affected 32-bit systems running the Linux kernel. This could result in system crashes, denial of service conditions, or potential privilege escalation scenarios due to improper memory handling (NVD).

The vulnerability has been patched in various Linux kernel versions. The fix involves using kcalloc() instead of kzalloc() for memory allocation to prevent the integer overflow. Multiple Linux distributions have released updates to address this vulnerability, including Ubuntu which has fixed it in versions 6.8.0-44.44 for 24.04 LTS and 5.15.0-121.131 for 22.04 LTS (Ubuntu).