CVE-2024-49945: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-49945 affects the Linux kernel's Network Controller Sideband Interface (NCSI) implementation. The vulnerability was discovered in October 2024 and involves a use-after-free bug in the net/ncsi subsystem. The issue occurs when the ncsi work function can continue running after the associated ncsi device structure has been freed (NVD). This vulnerability affects Linux kernel versions from 4.8 up to (excluding) 6.10.14 and from 6.11 up to (excluding) 6.11.3.

The vulnerability stems from improper resource management in the NCSI subsystem where the work function is not properly disabled before freeing the associated structure. This can lead to a use-after-free condition when the work function attempts to access the already freed ncsi device structure. The issue has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

When exploited, this vulnerability can result in a use-after-free condition or kernel panic, potentially leading to system crashes and denial of service. The impact is primarily focused on system availability, with no direct impact on confidentiality or integrity (NVD).

The vulnerability has been patched in the Linux kernel by adding a call to disable_work_sync() before freeing the ncsi device structure. The fix has been implemented in multiple kernel versions through the commit a0ffa68c70b367358b2672cdab6fa5bc4c40de2c (Kernel Patch). Users are advised to update their Linux kernel to versions 6.10.14, 6.11.3, or later to address this vulnerability.