CVE-2024-42094: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-42094 affects the Linux kernel's net/iucv subsystem, specifically related to cpumask variable allocation on the stack. The vulnerability was discovered on July 29, 2024, and involves a potential stack overflow condition when CONFIGCPUMASKOFFSTACK=y is enabled. The issue affects multiple versions of the Linux kernel up to versions 4.19.317, 5.4.279, 5.10.221, 5.15.162, 6.1.97, 6.6.37, and 6.9.8 (NVD).

The vulnerability stems from explicit allocation of cpumask variables on the stack in the net/iucv module. When CONFIGCPUMASKOFFSTACK=y is enabled, this allocation method can lead to potential stack overflow conditions. The CVSS v3.1 base score is 7.8 (High) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local access required with low attack complexity (NVD). The vulnerability is classified as CWE-787 (Out-of-bounds Write).

The vulnerability could allow an attacker with local access to cause a stack overflow in the Linux kernel's IUCV (Inter-User Communication Vehicle) networking subsystem. This could potentially lead to system crashes or privilege escalation, affecting the confidentiality, integrity, and availability of the system (NVD).

The fix involves using *cpumask_var API(s) to allocate cpumask variables in a config-neutral way instead of explicit stack allocation. The patch has been merged into the Linux kernel, and affected distributions have released updates. Users should update to patched kernel versions: beyond 4.19.317, 5.4.279, 5.10.221, 5.15.162, 6.1.97, 6.6.37, or 6.9.8 (Kernel Patch).