CVE-2024-50259: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-50259 affects the Linux kernel's netdevsim module, specifically in the nsimnexthopbucketactivitywrite() function. The vulnerability was discovered by a static analyzer and disclosed on November 9, 2024. It affects Linux kernel versions from 5.13 up to (excluding) 5.15.171, 5.16 up to (excluding) 6.1.116, 6.2 up to (excluding) 6.6.60, and 6.7 up to (excluding) 6.11.7 (NVD).

The vulnerability stems from a missing null terminator after a copyfromuser() operation in the netdevsim module's string handling. When performing string operations like sscanf(), the absence of a trailing zero could lead to improper function behavior. The issue has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local access requirements and potential high impact on availability (NVD).

The vulnerability primarily affects system availability, as indicated by the CVSS metrics showing high impact on availability (A:H) but no impact on confidentiality or integrity. The issue could potentially cause system instability or crashes when processing network device simulation operations (NVD).

The vulnerability has been patched in various Linux kernel versions. Ubuntu has released fixes in multiple kernel packages including linux-ibm (5.15.0-1070.73), linux-aws (5.15.0-1078.85), and linux-azure (5.15.0-1081.90). The fix involves adding a trailing zero after the copyfromuser() operation to ensure proper string termination (Ubuntu, Kernel Patch).