CVE-2024-47737: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-47737 is a vulnerability in the Linux kernel's NFSD (Network File System daemon) component, discovered and disclosed on October 21, 2024. The issue occurs when xdrreservespace returns NULL while idmaplookup has triggered lookupfn which calls cacheget and returns successfully, resulting in a missing cacheput call that should pair with cache_get (NVD).

The vulnerability is classified as a NULL Pointer Dereference (CWE-476) with a CVSS v3.1 Base Score of 5.5 (Medium). The issue affects the nfs4idmap.c file in the Linux kernel's NFSD implementation, specifically in the idmapidtoname function where a cacheput operation was missing when xdrreservespace returns NULL. This vulnerability was introduced by commit ddd1ea563672 'nfsd4: use xdrreservespace in attribute encoding' (Kernel Patch).

The vulnerability affects multiple versions of the Linux kernel from version 3.16 up to versions before 5.10.227, 5.15.168, 6.1.113, and 6.6.54. When exploited, it could lead to resource management issues in the kernel's NFS server implementation (NVD).

The vulnerability has been fixed in multiple Linux kernel versions. Ubuntu has released patches for versions 24.10 (6.11.0-18.18), 24.04 LTS (6.8.0-54.56), 22.04 LTS (5.15.0-127.137), and 20.04 LTS (5.4.0-208.228). Debian has also released fixes for bullseye (5.10.234-1), bookworm (6.1.128-1), and sid/trixie (6.12.17-1) (Ubuntu, Debian).