CVE-2024-49866: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-49866 affects the Linux kernel's tracing/timerlat subsystem, specifically involving a race condition during CPU hotplug (cpuhp) processing. The vulnerability was discovered when a 'timerlat/1' thread was incorrectly scheduled on CPU0, leading to timer corruption. This issue affects Linux kernel versions from 5.14 up to versions before 5.15.168, 6.1.113, 6.6.55, 6.10.14, and 6.11.3 (NVD).

The vulnerability stems from an asynchronous implementation of CPU online processing for osnoise through workers, which creates a race condition with offline processing. When a worker is scheduled to create a thread, the CPU may have already been removed from the cpuonlinemask during the offline process, resulting in incorrect CPU selection. The issue has been assigned a CVSS v3.1 Base Score of 4.7 (MEDIUM) with vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to timer corruption and system instability. When triggered, it results in debug object warnings and potential system crashes, as evidenced by the reported error messages showing timer initialization failures and debug object corruption (Kernel Patch).

The issue has been fixed by adding a check to skip online processing if the CPU is already offline. The fix has been implemented in the Linux kernel through a patch that modifies the osnoisehotplugworkfn function. Users should update to patched versions: Linux kernel 5.15.168, 6.1.113, 6.6.55, 6.10.14, or 6.11.3 or later (Kernel Patch).