CVE-2024-46785: 
Linux Debian vulnerability analysis and mitigation

CVE-2024-46785 affects the Linux kernel's eventfs subsystem. The vulnerability was discovered by Chi Zhiling and involves a null pointer dereference issue in the tracefs component. The issue occurs when the variable 'eichild' is set to LISTPOISON1 after the list is removed in eventfsremoverec, leading to a potential system crash when accessing eichild->isfreed (NVD).

The vulnerability stems from using listdel() on an SRCU (Sleepable Read-Copy Update) protected list variable before synchronization occurs. This can poison the list pointers while a reader is iterating the list. The issue manifests when accessing the eichild->is_freed field after the list has been removed, triggering a kernel panic. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (MEDIUM) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

When exploited, this vulnerability can cause a kernel panic leading to a denial of service condition. The issue specifically affects the system's ability to handle certain filesystem operations in the tracefs subsystem, potentially impacting system stability and availability (NVD).

The vulnerability has been fixed by replacing listdel() with listdel_rcu(), which is specifically designed for SRCU-protected list variables. The fix has been implemented in the Linux kernel, and affected systems should be updated to the patched versions. The fix is tracked in commit d2603279c7d645bf0d11fa253b23f1ab48fc8d3c (Kernel Patch).