CVE-2024-50023: 
Linux Kernel vulnerability analysis and mitigation

In the Linux kernel, a vulnerability (CVE-2024-50023) was discovered in the PHY LED handling mechanism. The issue was identified in versions 6.4 through 6.6.57 and versions 6.7 through 6.11.4. The vulnerability stems from an incomplete fix in a previous commit that addressed LED entry management in the LEDs list during unregistration (NVD).

The vulnerability occurs when a port for the PHY is torn down and up while the kmod for the PHY is removed. The issue arises from the incomplete implementation in commit c938ab4da0eb, which correctly fixed a problem with using devm_ but failed to remove the LED entry from the LEDs list. This results in a scenario where the LED list maintains stale entries, leading to a kernel panic. The CVSS v3.1 base score is 5.5 (MEDIUM) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD, Kernel Patch).

When exploited, this vulnerability can cause a kernel panic under specific conditions. The issue manifests when the port is brought down for the second time after a sequence of operations, as the LED list contains four elements - two previously unregistered and two newly registered ones. This leads to system instability and potential denial of service (NVD).

The vulnerability has been patched by correctly removing the LED element when it is unregistered. The fix involves modifying the phy_leds_unregister function to properly clean up LED entries from the list. Users should upgrade to Linux kernel versions 6.6.57 or later, or 6.11.4 or later, which contain the fix (NVD, Kernel Patch).