CVE-2024-50149: 
Linux Debian vulnerability analysis and mitigation

CVE-2024-50149 is a Use-After-Free (UAF) vulnerability in the Linux kernel's DRM/XE driver. The vulnerability was discovered in October 2024 and affects Linux kernel versions from 6.10 up to (excluding) 6.11.6. The issue occurs in the DRM/XE driver where freeing a job in TDR (Time Domain Reflectometry) is unsafe as it can pass the run_job thread resulting in a Use-After-Free condition (NVD).

The vulnerability stems from an unsafe job freeing operation in the DRM/XE driver's TDR handling. The issue occurs when TDR fires before the free job worker, which is common if the exec queue is immediately closed after the last fence is signaled. The CVSS v3.1 base score is 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, though CISA-ADP assessed it at 7.8 (High) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability can lead to a Use-After-Free condition in the Linux kernel, potentially causing system instability or crashes. The issue affects the DRM/XE driver's job handling mechanism, which could impact graphics processing operations (NVD).

The vulnerability has been patched in the Linux kernel. The fix involves modifying the job handling mechanism to add the job back to the pending list instead of freeing it immediately in TDR, ensuring the job can be safely freed by the scheduler. The patch has been implemented in kernel version 6.11.6 and later (Kernel Patch).