CVE-2024-49855: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-49855 is a race condition vulnerability in the Linux kernel's Network Block Device (NBD) subsystem. The vulnerability was discovered and disclosed on October 21, 2024, affecting multiple versions of the Linux kernel from 5.17.15 through 6.10.13. The issue specifically relates to a race between timeout and normal completion handling in the NBD driver (NVD).

The vulnerability stems from a race condition in the NBD driver where if a request timeout is handled by nbdrequeuecmd(), the normal completion must be stopped to prevent completing a requeued request. This can potentially trigger a use-after-free condition. The issue has been assigned a CVSS v3.1 base score of 7.0 (High) with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local access required with high attack complexity (NVD).

The vulnerability could lead to use-after-free conditions in the Linux kernel's NBD subsystem, potentially resulting in high impacts to confidentiality, integrity, and availability of the affected system. The high CVSS score indicates that successful exploitation could lead to significant system compromise (NVD).

The vulnerability has been fixed by clearing the NBDCMDINFLIGHT flag in nbdrequeuecmd() and ensuring that cmd->lock is properly grabbed for clearing the flag and the requeue operation. The fix has been implemented in various Linux kernel versions through patches (Kernel Patch).