CVE-2024-47687: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-47687 affects the Linux kernel's vDPA (virtual data path acceleration) MLX5 driver. The vulnerability was discovered in the memory resource handling where certain error paths from mlx5vdpadev_add() could release uninitialized memory resources. This issue affects Linux kernel versions from 6.7 up to (excluding) 6.10.13 and versions from 6.11 up to (excluding) 6.11.2 (NVD).

The vulnerability stems from a NULL pointer dereference in the vdpa/mlx5 driver when handling memory resources. The issue occurs during the destruction of memory resources that were never properly initialized, leading to a kernel NULL pointer dereference at address 0x0000000000000000. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (MEDIUM) with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD, Kernel Patch).

When exploited, this vulnerability can cause a denial of service condition through a system crash. The issue specifically manifests when the system attempts to release memory resources that were never initialized, leading to a kernel panic (Kernel Patch).

The issue has been fixed by adding a validation check in mlx5vdpadestroymrresources() to prevent the release of uninitialized memory resources. The fix has been implemented in the Linux kernel through patches that add the missing check before attempting to destroy memory resources (Kernel Patch).