CVE-2024-57798: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-57798 is a vulnerability discovered in the Linux kernel affecting the DisplayPort Multi-Stream Transport (MST) functionality. The issue was identified in January 2025 and involves a potential NULL pointer dereference and use-after-free condition in the drm_dp_mst_handle_up_req() function. The vulnerability affects multiple versions of the Linux kernel, including versions up to 6.1.123, versions from 6.2 up to 6.6.69, and versions from 6.7 up to 6.12.8 (NVD).

The vulnerability occurs in the Linux kernel's DisplayPort MST handling code. While receiving an MST up request message from one thread in drm_dp_mst_handle_up_req(), the MST topology could be removed from another thread via drm_dp_mst_topology_mgr_set_mst(false), which frees mst_primary and sets drm_dp_mst_topology_mgr::mst_primary to NULL. This race condition could lead to a NULL dereference or use-after-free of mst_primary in drm_dp_mst_handle_up_req(). The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability could potentially lead to local privilege escalation on affected systems. The high CVSS score indicates that successful exploitation could result in significant impacts to system confidentiality, integrity, and availability when exploited by an attacker with local access to the system (Ubuntu).

A fix has been developed that involves holding a reference for mst_primary in drm_dp_mst_handle_up_req() while it's used. The patch ensures the mst_primary pointer remains valid throughout its usage by implementing proper reference counting. The fix has been incorporated into various Linux kernel versions and is being distributed through distribution-specific updates (Kernel Patch).