CVE-2024-50000: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-50000 is a NULL pointer dereference vulnerability discovered in the Linux kernel's network subsystem, specifically in the mlx5etirbuilder_alloc() function. The vulnerability was found by the Linux Verification Center (linuxtesting.org) using the SVACE tool and was disclosed on October 21, 2024. The issue affects Linux kernel versions from 5.15 up to (excluding) 6.11.3 (NVD).

The vulnerability occurs in the mlx5etirbuilder_alloc() function where kvzalloc() may return NULL, which is then dereferenced on the next line in a reference to the modify field. This NULL pointer dereference can lead to a kernel crash. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local access is required and the primary impact is on availability (NVD).

The vulnerability can result in a system crash due to the NULL pointer dereference, affecting system availability. The issue requires local access and can only impact system availability, with no direct impact on confidentiality or integrity (NVD).

The vulnerability has been patched in the Linux kernel. The fix involves adding a NULL pointer check before dereferencing the builder pointer in the mlx5etirbuilder_alloc() function. Multiple stable kernel versions have received the patch, including versions 5.15.168, 6.1.113, 6.6.55, and 6.11.3 (Kernel Patch).