CVE-2024-46679: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-46679 is a vulnerability in the Linux kernel's ethtool functionality, discovered in September 2024. The issue occurs when a sysfs reader attempts to read device state during a device reset or removal, potentially causing a race condition when the device is not actually present (NVD). This vulnerability affects multiple versions of the Linux kernel, from version 2.6.33 up to versions before 6.10.8.

The vulnerability manifests as a race condition in the ethtool subsystem when getting link settings. The issue occurs specifically in the _ethtoolgetlinkksettings() function, where there was no check for device presence before attempting to access device state. The vulnerability has been assigned a CVSS v3.1 Base Score of 4.7 (MEDIUM) with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

When exploited, this vulnerability can lead to a system crash due to attempting to read device state when the device is not present. This is particularly evident in scenarios where a device reset or removal occurs concurrent with a sysfs read operation, potentially causing a kernel panic (Kernel Patch).

The vulnerability has been patched by adding a device presence check in the ethtool subsystem. The fix moves the netifdevicepresent() check into the _ethtoolgetlinkksettings() function to protect all callers, ensuring that device state is not accessed when the device is not present (Kernel Patch).