CVE-2024-50281: 
Linux Debian vulnerability analysis and mitigation

CVE-2024-50281 affects the Linux kernel's trusted key subsystem, specifically in the DCP (Data Co-Processor) component. The vulnerability was discovered when sealing or unsealing a key blob, where the AEAD cipher operation would not wait for completion before returning. This issue was disclosed on November 18, 2024, and affects Linux kernel versions 6.10.7 and versions from 6.11 up to (excluding) 6.11.8, as well as various 6.12 release candidates (NVD).

The vulnerability is classified as a NULL pointer dereference (CWE-476) in the AEAD crypto operation. The issue occurs because the system does not wait for the AEAD cipher operation to finish and simply returns after submitting the request. Under system load, the process can exit before the cipher operation completes, causing the buffer being read from or written to be removed from the stack. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

When exploited, this vulnerability can result in NULL pointer dereference errors in the DCP driver during blob creation, potentially leading to system crashes and denial of service conditions. The impact is primarily focused on system availability, with no direct impact on confidentiality or integrity (NVD).

The vulnerability has been patched by modifying the code to wait for the AEAD cipher operation to finish before resuming the seal and unseal calls. The fix involves using DECLARE_CRYPTO_WAIT and crypto_wait_req functions to ensure proper completion of crypto operations. The patch has been committed to the Linux kernel repository (Kernel Patch).