CVE-2024-49872: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-49872 affects the Linux kernel and involves a race condition in the memory management subsystem. The vulnerability was discovered in the memfdpinfolios functionality where a race condition during hugetlb page creation can lead to a kernel panic. The issue affects Linux kernel versions from 6.11 up to (excluding) 6.11.3 (NVD).

The vulnerability occurs in the mm/gup subsystem when memfdpinfolios attempts to create a hugetlb page while another process has already created it. Specifically, when folio gets the value -EEXIST after memfdallocfolio(memfd, startidx), the code fails to set folio to NULL on error. This leads to a panic in the subsequent loop iteration when attempting to call folioput(folio) (Kernel Patch). The vulnerability has been assigned a CVSS v3.1 Base Score of 4.7 MEDIUM (Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H) (NVD).

The vulnerability can result in a kernel panic when the race condition is triggered, leading to a denial of service condition. This affects system stability and availability, though it does not impact confidentiality or integrity of the system (NVD).

The vulnerability has been fixed in Linux kernel version 6.11.3 by adding code to set the folio pointer to NULL on error conditions. Users should upgrade to this version or later to address the vulnerability. The fix involves a one-line code change in the mm/gup.c file (Kernel Patch).