CVE-2024-42072: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-42072 affects the Linux kernel and involves two bugs in the BPF (Berkeley Packet Filter) may_goto functionality. The vulnerability was discovered by Zac's syzbot and was reported in July 2024. The affected versions include Linux kernel versions up to 6.9 and versions from 6.9.1 up to 6.9.8 (NVD).

The vulnerability consists of two distinct bugs in the maygoto functionality: 1) A patching issue where negative offsets are handled incorrectly, requiring different patching logic when the offset is negative, and 2) A verifier bug where program exploration is incorrectly pruned when the current state maygotodepth equals the visited state maygoto_depth, indicating an actual infinite loop. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD, Kernel Patch).

The vulnerability could potentially lead to high impacts on confidentiality, integrity, and availability of the affected system, as indicated by the CVSS scoring. The bug in the verifier could allow programs to bypass security checks related to infinite loops, while the patching issue could lead to incorrect program execution (NVD).

The vulnerability has been fixed in the Linux kernel through patches that correct both the negative offset handling in may_goto patching and the verifier's infinite loop detection logic. The fix is available in the kernel patch repositories (Kernel Patch).