CVE-2024-42078: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-42078 affects the Linux kernel's Network File System daemon (nfsd) component. The vulnerability was discovered and reported by Sourabh Jain, and involves an improper initialization of nfsdinfo.mutex that can be dereferenced by svcpoolstatsstart() immediately after a new netns is created, potentially triggering a system crash (Kernel Patch). The issue was disclosed on July 29, 2024, and affects Linux kernel versions up to (excluding) 6.8 and versions from (including) 6.9 up to (excluding) 6.9.8 (NVD).

The vulnerability stems from a timing issue in the initialization sequence of the nfsdinfo.mutex. The mutex can be dereferenced by svcpoolstatsstart() function before proper initialization, leading to a potential system crash. This issue was introduced by commit 7b207ccd9833 'svc: don't hold reference for poolstats, only mutex.' The CVSS v3.1 base score is 5.5 (Medium), with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

When exploited, this vulnerability can cause a denial of service condition through a system crash (oops) when the nfsd_info.mutex is dereferenced before initialization (Kernel Patch).

The issue has been fixed by moving the initialization of nfsd_info.mutex earlier in the code sequence, before it can be dereferenced. The fix has been implemented in various Linux distributions, including Ubuntu 24.04 LTS (noble) with kernel version 6.8.0-44.44 (Ubuntu). Users are advised to update their systems to the patched versions.