CVE-2024-42107: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-42107 affects the Linux kernel's ice driver implementation. The vulnerability was discovered in July 2024 and involves a race condition between the iceptpexttsevent() and iceptp_release() functions that can lead to a NULL pointer dereference and kernel panic. The vulnerability affects Linux kernel versions from 5.14 up to (excluding) 6.9.9 (NVD).

The vulnerability occurs in the ice driver's PTP (Precision Time Protocol) functionality. The iceptpexttsevent() function can race with iceptprelease(), resulting in a NULL pointer dereference when calling ptpclock_event() with a NULL pointer. This happens because the ice driver releases the PTP clock before the interrupt for the next external timestamp event occurs. The vulnerability has been assigned a CVSS v3.1 base score of 4.7 (Medium) with vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

When exploited, this vulnerability leads to a kernel panic, causing a denial of service condition on the affected system. The impact is limited to availability, with no direct impact on confidentiality or integrity (NVD).

The vulnerability has been fixed by modifying the iceptpextts_event() function to check the PTP state and exit early if PTP is not ready. The fix was implemented in the Linux kernel through commit 996422e3230e41468f652d754fefd1bdbcd4604e. Users should update their Linux kernel to version 6.9.9 or later to address this vulnerability (Kernel Patch).