CVE-2024-56748: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-56748 is a memory leak vulnerability discovered in the Linux kernel's SCSI subsystem, specifically in the qedf_alloc_and_init_sb() function of the QLogic FastLinQ offload FCoE driver. The vulnerability was disclosed on December 29, 2024, affecting Linux kernel versions from 4.11 up to versions before 5.4.287, 5.10.231, 5.15.174, 6.1.120, 6.6.64, 6.11.11, and 6.12.2 (NVD).

The vulnerability occurs when the qed_ops->common->sb_init hook fails to release DMA memory (sb_virt) during initialization. This issue stems from the QLogic FastLinQ offload FCoE driver framework implementation, where the memory allocated using dma_free_coherent() is not properly freed when an error occurs. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with a vector string of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local access requirements and potential high impact on system availability (NVD).

The vulnerability can lead to memory leaks in the Linux kernel's SCSI subsystem, potentially causing system resource depletion over time. This could affect system stability and performance, particularly in systems using the QLogic FastLinQ FCoE driver (NVD).

The vulnerability has been patched by adding a dma_free_coherent() call to properly free the DMA memory when initialization fails. The fix has been implemented in the Linux kernel, following the same pattern used in qedr_alloc_mem_sb() and qede_alloc_mem_sb() functions. Users should update to kernel versions 5.4.287, 5.10.231, 5.15.174, 6.1.120, 6.6.64, 6.11.11, 6.12.2 or later to address this vulnerability (Kernel Patch).