CVE-2024-42158: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-42158 affects the Linux kernel's s390/pkey subsystem, specifically related to memory handling in the pkeyapi.c file. The vulnerability was discovered and disclosed on July 30, 2024, affecting Linux kernel versions from 4.11 up to (excluding) 6.9.9. The issue involves improper memory cleanup operations where memzeroexplicit() and kfree() were used instead of the more secure kfree_sensitive() function (Kernel Patch).

The vulnerability stems from the improper implementation of memory cleanup operations in the s390/pkey API. The issue was identified through Coccinelle warnings at three specific locations (lines 1506, 1643, and 1770) in the pkey_api.c file. The vulnerability has a CVSS v3.1 Base Score of 4.1 (Medium) with the vector string CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability could potentially lead to sensitive information exposure through improper memory cleanup. The CVSS score indicates that while the vulnerability requires local access and high privileges to exploit, it could result in high confidentiality impact if successfully exploited (NVD).

The vulnerability has been patched in various Linux distributions. Ubuntu has released fixes for multiple versions: Ubuntu 24.04 LTS (noble) with kernel version 6.8.0-48.48, Ubuntu 22.04 LTS (jammy) with kernel version 5.15.0-127.137, and other affected versions. The fix involves replacing memzeroexplicit() and kfree() calls with kfreesensitive() (Ubuntu Security).