CVE-2024-50088: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-50088 affects the Linux kernel's BTRFS file system implementation. The vulnerability was discovered in the add_inode_ref() function where a 'name' struct is not properly initialized when declared, potentially leading to an uninitialized pointer being freed. This issue was identified by Coverity (CID 1526744) and affects Linux kernel versions from 6.1.57 up to 6.11.5 (NVD).

The vulnerability exists in the add_inode_ref() function within the BTRFS file system code. When the function encounters certain error conditions and returns NULL from read_one_inode() calls, it attempts to free name.name in the error handling path before the structure is properly initialized. The specific code path occurs when either dir = read_one_inode(root, parent_objectid) returns NULL (resulting in -ENOENT) or inode = read_one_inode(root, inode_objectid) returns NULL (resulting in -EIO). The CVSS v3.1 base score is 7.8 HIGH with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability could lead to a potential use-after-free condition when accessing uninitialized memory, which could result in system crashes or potential privilege escalation in the Linux kernel (NVD).

The issue has been fixed in the Linux kernel through a patch that properly initializes the 'name' struct with zeros at declaration time. The fix has been implemented in multiple kernel versions through commit 66691c6e2f18d2aa4b22ffb624b9bdc97e9979e4 and its backports. Users should update their Linux kernel to a patched version (Kernel Patch).