CVE-2024-50071: 
Linux Debian vulnerability analysis and mitigation

A double free vulnerability (CVE-2024-50071) was discovered in the Linux kernel's Nuvoton pin controller driver. The issue affects Linux kernel versions from 6.11 up to (excluding) 6.11.5, including release candidates 6.12-rc1, 6.12-rc2, and 6.12-rc3. The vulnerability was discovered when 'new_map' was allocated using devm_* which handles memory freeing on device removal, but an additional call to pinconf_generic_dt_free_map resulted in a double free condition (NVD).

The vulnerability exists in the ma35_pinctrl_dt_node_to_map_func() function of the Nuvoton pin controller driver. The issue occurs because 'new_map' is allocated using devm_kcalloc(), which automatically handles memory deallocation during device removal. However, the subsequent call to .dt_free_map = pinconf_generic_dt_free_map causes a double free condition as pinconf_generic_dt_free_map() also calls pinctrl_utils_free_map(). The CVSS v3.1 base score is 7.8 (High), with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD, Kernel Patch).

The vulnerability could allow an attacker with local access to cause a denial of service through system crash or potentially execute arbitrary code. The high CVSS score indicates significant potential impact on system confidentiality, integrity, and availability if exploited (NVD).

The vulnerability has been fixed by replacing devm_kcalloc() with kcalloc() in the affected code. Users should update to Linux kernel version 6.11.5 or later which contains the fix. The patch has been backported to affected stable kernel versions (Kernel Patch).