CVE-2024-49938: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-49938 affects the Linux kernel's ath9k_htc WiFi driver. The vulnerability was discovered by Syzbot and disclosed on October 21, 2024. The issue involves uninitialized skb length in error paths when using skb_trim() function in the ath9k_htc USB driver (NVD).

The vulnerability stems from skb_trim() having a sanity check on the existing length of the skb, which can be uninitialized in some error paths within the ath9k_htc WiFi driver. The issue affects both ath9k_hif_usb_reg_in_cb() and ath9k_hif_usb_rx_cb() functions. The CVSS v3.1 base score is 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability could lead to high availability impact on affected systems, though there are no confidentiality or integrity impacts. The issue requires local access and low privileges to exploit (NVD).

The issue has been fixed by replacing skb_trim() calls with __skb_set_length(skb, 0) in the affected functions. The fix has been implemented across multiple Linux kernel versions, including 5.10.227, 5.15.168, 6.1.113, 6.6.55, and others. Users should update to the patched versions of the kernel (Kernel Patch).