CVE-2024-57872: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-57872 is a vulnerability discovered in the Linux kernel's SCSI UFS platform driver. The issue was identified and disclosed on January 11, 2025, affecting Linux kernel versions from 3.10 up to (excluding) 6.12.5. The vulnerability specifically relates to improper memory management during the host bus adapter (HBA) deallocation process in the ufshcdpltfrmremove() function (NVD, Debian Tracker).

The vulnerability stems from a missing deallocation call in the SCSI UFS platform driver. Specifically, the ufshcdpltfrmremove() function failed to properly clean up the SCSI host using scsihostdevrelease(), which should be handled by calling ufshcddealloc_host(hba). The issue has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified as CWE-401 (Missing Release of Memory after Effective Lifetime) (NVD).

The primary impact of this vulnerability is memory leaks in the system. When the UFS platform driver is removed, the improper cleanup of SCSI host resources leads to memory not being properly released, potentially causing system resource depletion over time (Kernel Patch).

The vulnerability has been fixed in Linux kernel version 6.12.5 and later. The fix involves adding a call to ufshcddeallochost(hba) in the ufshcdpltfrmremove() function to ensure proper cleanup of SCSI host resources. Users are advised to upgrade to a patched kernel version. The fix has been backported to various stable kernel branches (Kernel Patch).