CVE-2024-56561: 
Linux Kernel vulnerability analysis and mitigation

A use-after-free vulnerability was discovered in the Linux kernel's PCI endpoint controller implementation (CVE-2024-56561). The issue exists in the pci_epc_destroy() function where the PCI domain ID release is incorrectly handled. The vulnerability affects Linux kernel versions from 6.11.4 up to (excluding) 6.12.4 (NVD, Debian Tracker).

The vulnerability stems from two specific issues in the pci_epc_destroy() function: First, epc->dev is passed to pci_bus_release_domain_nr() after being freed by device_unregister(), leading to a use-after-free condition. Second, the domain ID corresponds to the EPC device parent, making the passing of epc->dev incorrect. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability could potentially lead to system compromise through a use-after-free condition in the kernel's PCI endpoint controller subsystem. Given the CVSS score and vector string, successful exploitation could result in high impacts to confidentiality, integrity, and availability of the affected system (NVD).

The vulnerability has been fixed by modifying the pci_epc_destroy() function to pass epc->dev.parent to pci_bus_release_domain_nr() and executing this before device_unregister(). The fix has been implemented in the Linux kernel through patches (Kernel Patch).