CVE-2024-53068: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-53068 is a vulnerability in the Linux kernel's ARM SCMI (System Control and Management Interface) firmware implementation. The issue was discovered when scmidev->name is released prematurely in _scmidevicedestroy(), causing a slab-use-after-free condition when accessing scmidev->name in scmibus_notifier(). The vulnerability affects Linux kernel versions from 5.6 up to (excluding) 6.6.61 and versions from 6.7 up to (excluding) 6.11.8 (NVD).

The vulnerability is a use-after-free bug in the ARM SCMI firmware implementation. The issue occurs due to premature deallocation of scmidev->name in _scmidevicedestroy(), while the pointer is still being accessed in scmibusnotifier(). This results in a slab-use-after-free condition when attempting to access the freed memory. The bug was detected by the Kernel Address Sanitizer (KASAN) during system initialization, specifically in the strncmp function called from scmibusnotifier() (Kernel Patch). The vulnerability has been assigned a CVSS v3.1 base score of 7.8 HIGH with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability could allow an attacker to cause a denial of service (system crash) or potentially execute arbitrary code with elevated privileges. The high CVSS score reflects the potential for complete compromise of confidentiality, integrity, and availability of the affected system, though local access is required (NVD).

The issue has been fixed by moving the release of scmidev->name to scmidevicerelease() to ensure proper memory management. The fix has been implemented in the Linux kernel through patches that modify the drivers/firmware/armscmi/bus.c file. Users should update to Linux kernel versions 6.6.61, 6.11.8, or later to receive the fix (Kernel Patch).