CVE-2024-49882: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-49882 is a vulnerability in the Linux kernel's ext4 filesystem that was discovered in 2024. The issue involves a double buffer release (double brelse()) in the ext4exttrytomergeup() function, where path[1].pbh is not set to NULL after being released, potentially leading to a double free condition (NVD).

The vulnerability occurs in the ext4 filesystem's extent handling code. Specifically, in the ext4exttrytomergeup() function, when merging extents, the code releases a buffer but fails to set path[1].pbh to NULL afterward. This can lead to a situation where the same buffer is released twice during certain filesystem operations. The issue manifests when performing operations involving extent tree manipulation, particularly during split operations. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

When triggered, this vulnerability can result in a kernel warning 'VFS: brelse: Trying to free free buffer' and potential system instability. The double free condition can lead to memory corruption in the kernel, potentially allowing for denial of service conditions or possible privilege escalation (Kernel Patch).

The vulnerability has been fixed in multiple Linux kernel versions. The fix involves adding a single line of code to set path[1].pbh to NULL after the buffer release in ext4exttrytomergeup(). The patch has been backported to various stable kernel versions including 3.7 through 5.10.227, 5.11 through 5.15.168, 5.16 through 6.1.113, 6.2 through 6.6.55, and others (Ubuntu Notice).