CVE-2024-50209: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-50209 affects the Linux kernel's RDMA/bnxt_re driver component. The vulnerability was discovered and disclosed on November 8, 2024, and involves a memory allocation check issue where the __alloc_pbl() function can return an error when memory allocation fails, but the driver was not checking the status in one instance (NVD). The vulnerability affects Linux kernel versions from 5.7 through 5.10.229, 5.15 through 5.15.170, 5.16 through 6.1.115, 6.2 through 6.6.59, and other versions in this range (NVD).

The vulnerability exists in the RDMA/bnxt_re driver's hardware queue memory allocation functionality. Specifically, in the bnxt_qplib_alloc_init_hwq function, there was a missing check for the return value of __alloc_pbl() function, which could lead to potential memory allocation failures being ignored (Kernel Patch). The issue has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability could potentially lead to system instability or crashes due to unhandled memory allocation failures in the RDMA/bnxt_re driver. Given the CVSS score and vector, the vulnerability could potentially allow a local attacker with low privileges to achieve high impacts on confidentiality, integrity, and availability of the system (NVD).

The vulnerability has been patched in the Linux kernel with a fix that adds proper error checking for the __alloc_pbl() function return value. The fix has been backported to various stable kernel versions. Ubuntu has released fixes for multiple versions including 24.10 (6.11.0-18.18), 22.04 LTS (5.15.0-133.144), and other affected versions (Ubuntu). Debian has also released fixes for bullseye (5.10.234-1), bookworm (6.1.128-1), and sid/trixie (6.12.17-1) (Debian).