CVE-2024-49887: 
Linux Debian vulnerability analysis and mitigation

In the Linux kernel, a vulnerability (CVE-2024-49887) was discovered in the F2FS filesystem that could cause system panic when encountering no free segment fault injection. The issue was identified in versions from 6.9 up to (excluding) 6.10.14 and from 6.11 up to (excluding) 6.11.3. The vulnerability was reported by syzbot and was related to the filesystem's handling of no free segment conditions (NVD).

The vulnerability occurs in the F2FS filesystem's segment handling code. When a no free segment fault is injected into F2FS, the system would inappropriately trigger a kernel BUG at fs/f2fs/segment.c:2748. The issue manifests during the allocation of new segments in the _allocatenew_segment function. The CVSS v3.1 base score for this vulnerability is 5.5 (Medium), with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability affects system availability by causing a kernel panic when encountering specific fault injection conditions. This could lead to system crashes and service interruptions, though it requires local access and low privileges to exploit (NVD).

The issue has been fixed in Linux kernel versions 6.10.14 and 6.11.3. The fix involves modifying the F2FS filesystem code to properly handle no free segment conditions without triggering a system panic. The patch removes the unnecessary panic trigger while maintaining the filesystem's ability to handle out-of-space conditions (Kernel Patch).