CVE-2024-53073: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-53073 is a vulnerability in the Linux kernel's NFSD (Network File System Daemon) component, discovered and disclosed on November 19, 2024. The vulnerability affects Linux kernel versions from 6.11.3 up to (excluding) 6.11.7. The issue occurs in the nfsd4copy() function where there is an incorrect handling of the pendingasync_copies counter during error conditions (NVD).

The vulnerability stems from a double decrement of the pendingasynccopies counter in the error flow of nfsd4copy() function. Specifically, when an error occurs, the function calls cleanupasynccopy(), which already decrements nn->pendingasync_copies, but the error handling code incorrectly decrements it again. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local access is required and the primary impact is on system availability (NVD).

The vulnerability affects system availability by potentially causing incorrect tracking of pending asynchronous copy operations in the NFSD service. This could lead to resource management issues in the Network File System daemon, potentially affecting the system's ability to handle NFS operations correctly (NVD).

The vulnerability has been patched in Linux kernel version 6.11.7. The fix involves removing the redundant decrement of pendingasynccopies in the error handling path of nfsd4_copy(). Multiple stable kernel branches have received the backported fix through various commits (Kernel Git).