CVE-2024-41073: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-41073 is a vulnerability in the Linux kernel's NVMe driver that was discovered and disclosed on July 29, 2024. The issue affects multiple versions of the Linux kernel, including versions up to 5.15.164, from 5.16 to 6.1.101, from 6.2 to 6.6.42, and from 6.7 to 6.9.11 (NVD).

The vulnerability is a double free condition in the NVMe driver's discard request handling. Specifically, if a discard request needs to be retried, and that retry fails before a new special payload is added, a double free will result. The issue stems from not clearing the RQFSPECIALLOAD flag when the request is cleaned (Kernel Patch). The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability could potentially lead to memory corruption through a double free condition in the kernel's NVMe driver. This could result in high impacts on confidentiality, integrity, and availability of the affected system, as indicated by the CVSS scoring (NVD).

The vulnerability has been fixed in the Linux kernel through a patch that clears the RQFSPECIALLOAD flag when the request is cleaned. The fix has been backported to multiple kernel versions and is available in various distribution updates. Ubuntu has released fixes for multiple kernel versions including 5.15.0-125.135 for 22.04 LTS and 6.8.0-48.48 for 24.04 LTS (Ubuntu). Debian has also released fixes for affected versions in bookworm (6.1.128-1) and sid/trixie (6.12.17-1) (Debian).