CVE-2024-50278: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-50278 is a vulnerability in the Linux kernel's dm cache component that was discovered and disclosed in November 2024. The issue affects Linux kernel versions from 3.13 up to (excluding) 6.11.8. This vulnerability involves a potential out-of-bounds access that occurs during the first resume of the cache table when the fast device is expanded unexpectedly (NVD).

The vulnerability is an out-of-bounds read vulnerability (CWE-125) in the dm cache component. The issue occurs because expanding the fast device requires reloading the cache table for cache_create to allocate new in-core data structures that fit the new size, but the check in cache_preresume is not performed during the first resume. This leads to potential out-of-bounds access to the dirty bitset at offset 0x40. The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H (NVD).

The vulnerability can lead to out-of-bounds memory access, potentially resulting in system crashes (denial of service) or information disclosure. The attack requires local access and low privileges to exploit (NVD).

The vulnerability has been fixed by adding a check for size changes on the first resume. The fix has been implemented in various kernel versions through patches. Users should update their Linux kernel to the latest patched version. The fix involves modifying the cache_preresume function to properly handle size changes during the first resume operation (Kernel Patch).