CVE-2024-46678: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-46678 affects the Linux kernel's bonding driver, specifically related to a locking mechanism issue. The vulnerability was discovered in the bonding driver's IPsec implementation where the ipsec_lock was implemented as a spin lock instead of a mutex. This vulnerability affects Linux kernel versions from 5.10.54 up to (excluding) 6.10.8, as well as several release candidates of version 6.11 (NVD).

The vulnerability stems from the use of a spin lock (bond->ipseclock) to protect the ipseclist in the bonding driver. When xdodevstateadd and xdodevstatedelete operations are called inside this lock, they may sleep, which triggers a "scheduling while atomic" bug when changing the bond's active slave. The issue occurs because these xfrmdev operations are executed in user context while holding a spin lock, which is not allowed to sleep (Kernel Patch). The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can trigger a "scheduling while atomic" bug in the Linux kernel when changing the bond's active slave, potentially leading to a denial of service condition. This occurs specifically when IPsec operations are being performed on bonded network interfaces (NVD).

The issue has been fixed by changing the ipsec_lock from a spin lock to a mutex, as the locking operations are only called from contexts that can sleep. The fix has been implemented in the Linux kernel through a patch that modifies the bonding driver's locking mechanism (Kernel Patch). Users should update to patched kernel versions to mitigate this vulnerability.