CVE-2024-50027: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-50027 is a use-after-free vulnerability discovered in the Linux kernel's thermal subsystem. The vulnerability affects Linux kernel versions from 6.4 up to 6.11.4. The issue occurs in the thermal zone device unregistration process where an object pointed to by tz->tzp may still be accessed after being freed in thermalzonedevice_unregister() function (NVD).

The vulnerability is caused by improper memory management in the thermal core component of the Linux kernel. Specifically, the issue stems from freeing the thermal zone parameters structure (tzp) before the completion of the removal process, which could lead to a use-after-free condition. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium), with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability could allow an attacker with local access to cause a denial of service (system crash) through a use-after-free condition in the thermal subsystem. The impact is primarily focused on system availability, with no direct impact on confidentiality or integrity (NVD).

The vulnerability has been fixed by moving the freeing of the tzp object to a point after the removal completion has been completed, ensuring it cannot be accessed after being freed. The fix has been implemented in various Linux distributions, including Ubuntu 24.10 and other affected versions. Users are advised to update their systems to the patched versions (Ubuntu, Kernel Patch).