CVE-2024-46843: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-46843 affects the Linux kernel's SCSI UFS core subsystem. The vulnerability was discovered when a kernel panic occurs if the ufshcd driver attempts to remove a UFS device while ufshcd_async_scan fails during ufshcd_probe_hba before adding a SCSI host with scsi_add_host and MCQ is enabled. This issue was introduced after MCQ configuration was deferred following commit 0cab4023ec7b (Kernel Patch).

The vulnerability exists in the SCSI host removal process within the Linux kernel's UFS core subsystem. The issue occurs specifically when Multi-Queue Configuration (MCQ) is enabled and the SCSI host removal is attempted before proper initialization. The CVSS v3.1 base score is 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

When exploited, this vulnerability can cause a kernel panic in affected Linux systems, leading to system crashes and denial of service. The impact is limited to local attacks and primarily affects system availability without compromising confidentiality or integrity (NVD).

The issue has been patched by adding a scsi_host_added flag that is set to true after successfully adding a SCSI host, and checking this flag before attempting to remove the host. The fix ensures that SCSI host removal only occurs if it was properly added. The patch has been incorporated into various Linux kernel versions (Kernel Patch).