CVE-2024-50077: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-50077 affects the Linux kernel's Bluetooth ISO implementation. The vulnerability was discovered when debugfs is disabled, causing a potential system crash due to duplicate initialization calls. The issue affects Linux kernel versions from 6.0 up to (excluding) 6.1.114, 6.2 up to (excluding) 6.6.58, and 6.7 up to (excluding) 6.11.5 (NVD).

The vulnerability occurs in the Linux kernel's Bluetooth ISO initialization process. If btdebugfs is not created successfully (when either CONFIGDEBUGFS or CONFIGDEBUGFSALLOWALL is unset), isoinit() returns early without setting isoinited to true. This leads to duplicate calls to protoregister() and btsockregister() on subsequent initialization attempts. When CONFIGLISTHARDENED and CONFIGBUGONDATACORRUPTION are enabled, this triggers a kernel BUG due to a double list addition (Kernel Patch). The vulnerability has been assigned a CVSS v3.1 base score of 5.5 MEDIUM (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) (NVD).

When exploited, this vulnerability can cause a denial of service condition through a system crash. The issue specifically manifests when the kernel attempts to perform duplicate initialization of Bluetooth ISO components, leading to a kernel panic with an invalid opcode error (Kernel Patch).

The issue has been fixed by removing the early return in iso_init() and modifying the debugfs check logic. The fix has been incorporated into multiple Linux kernel versions through security updates. For Debian 11 users, the fix is available in linux-6.1 version 6.1.119-1~deb11u1 (Debian LTS). Ubuntu users can find the fix in their respective kernel updates (Ubuntu Notice).