CVE-2024-46796: 
Linux Kernel vulnerability analysis and mitigation

In the Linux kernel, a vulnerability has been identified and resolved in the SMB client component, specifically in the smb2setpath_size() function. The vulnerability (CVE-2024-46796) involves a double put of @cfile parameter, which could lead to a use-after-free condition. This issue affects Linux kernel versions from 6.6.32 up to (excluding) 6.6.51, from 6.9 up to (excluding) 6.10.10, and various 6.11 release candidates (rc1 through rc6) (NVD).

The vulnerability occurs when smb2compoundop() is called with a valid @cfile and returns -EINVAL. The reference of @cfile was already dropped by the previous call, but the code attempted to reuse it without obtaining a new reference. This resulted in a KASAN (Kernel Address Sanitizer) detected slab-use-after-free error in the detachifpending function. The issue was discovered during testing with fstests generic/013 against Windows Server 2022 (Kernel Patch). The vulnerability has been assigned a CVSS v3.1 score of AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability could lead to a use-after-free condition in the Linux kernel's SMB client implementation. This type of vulnerability typically can result in system crashes, memory corruption, or potential privilege escalation. The high CVSS score indicates potential for significant impact on system confidentiality, integrity, and availability when exploited (NVD).

The vulnerability has been fixed by adding a call to cifsgetwritable_path() before retrying the operation when -EINVAL is returned. The fix ensures that a new reference to @cfile is properly obtained before reuse. Users should upgrade to Linux kernel versions 6.6.51, 6.10.10, or later to receive the fix (Kernel Patch).