CVE-2024-40995: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-40995 affects the Linux kernel's network scheduler component, specifically in the actapi functionality. The vulnerability was discovered by syzbot and involves a potential infinite loop in the tcfidrcheckalloc() function. The issue was first reported in July 2024 and affects Linux kernel versions from 4.19 up to versions before 6.9.7 (NVD).

The vulnerability occurs in the net/sched/actapi.c file where a request to add multiple actions with the same index can cause the second request to block forever on the first request. This results in holding the rtnllock indefinitely, leading to task hangs. The issue has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified as CWE-835 (Loop with Unreachable Exit Condition - 'Infinite Loop') (NVD).

When exploited, this vulnerability can cause system tasks to hang indefinitely while waiting on rtnl_lock. This can lead to a denial of service condition, particularly affecting system performance and responsiveness. The issue specifically impacts the network traffic control subsystem's ability to handle multiple action requests (Kernel Patch).

The issue has been fixed by modifying the tcfidrcheck_alloc() function to return -EAGAIN instead of using an infinite loop, while maintaining the documented behavior. This fix has been implemented across multiple kernel versions through various patches (Kernel Patch).