CVE-2024-47743: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-47743 addresses a NULL pointer dereference vulnerability in the Linux kernel's KEYS subsystem, specifically in the findasymmetrickey() function. The vulnerability was discovered by the Linux Verification Center (linuxtesting.org) using the Svace static analysis tool. The issue affects Linux kernel versions from 5.17 up to versions before 6.1.113, 6.6.54, 6.10.13, and 6.11.2 (NVD).

The vulnerability occurs in the findasymmetrickey() function when all NULL values are passed in the id{0,1,2} arguments. While the function would emit a WARN message, it would then proceed to dereference id2 anyway, leading to a kernel oops. The issue was assigned a CVSS v3.1 base score of 5.5 (Medium) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The vulnerability stems from a missing id_2 check in the code logic (NVD).

When exploited, this vulnerability can cause a denial of service condition through a kernel oops when the system attempts to dereference a NULL pointer. The impact is limited to availability with no direct effects on confidentiality or integrity of the system (NVD).

The vulnerability has been fixed by adding the missing id2 check and moving the WARNON() call to the final else branch to avoid duplicate NULL checks. The fix has been implemented in Linux kernel versions 6.1.113, 6.6.54, 6.10.13, and 6.11.2. Ubuntu has released updates for affected versions including 24.04 LTS and 22.04 LTS systems (Ubuntu Security).