CVE-2024-49982: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-49982 is a use-after-free vulnerability discovered in the Linux kernel's ATA over ethernet (AOE) driver. The vulnerability was identified and disclosed on October 21, 2024, affecting multiple functions in the AOE driver including revalidate(), aoecmd_ata_rw(), resend(), probe(), and aoecmd_cfg_rsp() (NVD).

The vulnerability stems from improper reference counting of network device objects in the AOE driver. The issue arose after fixing CVE-2023-6270, where dev_put() was moved to the tx() function instead of being called in aoecmd_cfg_pkts(). While this fixed the original use-after-free problem, it introduced a new issue where the reference count of skb->dev could be reduced to a negative value because corresponding dev_hold() calls were not implemented in several functions that use aoenet_xmit() to push packets to the tx queue. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability could allow an attacker with local access to potentially cause a use-after-free condition in the kernel, leading to potential system compromise with high impacts on confidentiality, integrity, and availability of the system (NVD).

The vulnerability has been fixed in various Linux kernel versions. Ubuntu has released patches for affected versions: Ubuntu 24.10 (6.11.0-18.18), 24.04 LTS (6.8.0-54.56), 22.04 LTS (5.15.0-127.137), and 20.04 LTS (5.4.0-208.228). Users are advised to update their systems to the patched versions (Ubuntu).