CVE-2024-49853: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-49853 is a vulnerability in the Linux kernel's ARM SCMI (System Control and Management Interface) OPTEE transport implementation. The issue was discovered and resolved in October 2024, affecting Linux kernel versions from 5.18 up to (excluding) 6.1.113, 6.2 up to (excluding) 6.6.54, 6.7 up to (excluding) 6.10.13, and 6.11 up to (excluding) 6.11.2 (NVD).

The vulnerability is a double free condition in the OPTEE transport layer of the ARM SCMI implementation. The issue occurs when channels are shared between protocols, leading to potential double freeing of the same channel descriptors during stack unloading. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 HIGH with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local access requirements but high potential impact (NVD).

The double free vulnerability could potentially lead to memory corruption, which may result in a denial of service (system crash) or possibly allow an attacker to execute arbitrary code with elevated privileges. The vulnerability requires local access to exploit (NVD).

The vulnerability has been fixed in the Linux kernel through a patch that adds a check to prevent double freeing of channel descriptors. The fix has been backported to affected stable kernel versions. Users should update their systems to the following versions: Linux kernel 6.1.113 or later, 6.6.54 or later, 6.10.13 or later, or 6.11.2 or later (Kernel Patch).