CVE-2024-54458: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-54458 is a vulnerability in the Linux kernel's SCSI UFS BSG (Block SCSI Generic) driver. The vulnerability was discovered and disclosed on February 26, 2025. It affects the bsgqueue handling in the UFS driver, where failing to set bsgqueue to NULL after removal could potentially lead to use-after-free (UAF) issues (NVD, Ubuntu).

The vulnerability exists in the UFS BSG driver's queue removal functionality. When removing the BSG queue, the code fails to set the bsgqueue pointer to NULL after calling bsgremove_queue(), which could potentially lead to use-after-free (UAF) vulnerabilities. The issue has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

While currently not causing immediate issues, the vulnerability could potentially lead to use-after-free (UAF) access, which might result in system crashes, information disclosure, or privilege escalation in the Linux kernel. The vulnerability affects various Linux distributions including Ubuntu's current and LTS releases (Ubuntu).

A fix has been implemented by adding code to set bsgqueue to NULL after removing it. The patch has been merged into the Linux kernel and is being distributed to various Linux distributions. The fix involves a single line change in the drivers/ufs/core/ufsbsg.c file (Kernel Commit).