CVE-2024-50097: 
Linux Debian vulnerability analysis and mitigation

CVE-2024-50097 is a vulnerability in the Linux kernel affecting the Fast Ethernet Controller (FEC) driver. The issue was discovered and disclosed in November 2024, specifically impacting platforms such as i.MX25 and i.MX27 that do not support Precision Time Protocol (PTP). The vulnerability affects Linux kernel versions from 6.6.55 up to 6.6.57, from 6.7 up to 6.11.4, and from 6.10.4 up to 6.11, as well as specific release candidates 6.12-rc1 and 6.12-rc2 (NVD).

The vulnerability occurs because fecptpsavestate() is called unconditionally, even on platforms where PTP is not supported. On these platforms, fecptpinit() is not called, leaving related members in the FEC driver structure uninitialized. When fecptpsavestate() attempts to access these uninitialized members, it causes a kernel panic. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

When exploited, this vulnerability results in a kernel panic on affected systems, leading to a denial of service condition. The impact is particularly significant for platforms that do not support PTP functionality, as it affects system stability and availability (NVD).

The vulnerability has been patched by adding a condition to check if PTP is supported (via fep->bufdescex) before calling fecptpsavestate(). Users are recommended to update to the latest kernel version that includes the fix. The patch has been merged into the mainline kernel and is available in the stable kernel branches (Kernel Patch).