CVE-2024-57890: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-57890 addresses an integer overflow vulnerability discovered in the Linux kernel's RDMA/uverbs subsystem. The vulnerability was identified in January 2025 and affects Linux kernel versions from 2.6.15 up to versions before 5.4.289, 5.10.233, 5.15.176, 6.1.124, 6.6.70, and 6.12.9 (NVD).

The vulnerability stems from an integer overflow issue in the expression 'cmd.wqesize * cmd.wrcount', where both variables are u32 values that come from user input. The multiplication can lead to integer wrapping. Additionally, the 'cmd.sgecount * sizeof(struct ibuverbs_sge)' multiplication can overflow on 32-bit systems. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability could lead to a denial of service condition when exploited. The CVSS scoring indicates that while the vulnerability requires local access and low privileges, it can result in high availability impact with no direct effect on confidentiality or integrity (NVD).

The vulnerability has been patched by modifying the condition in uverbsrequestnextptr() to prevent integer overflow and using sizemul() for multiplications. Fixed versions include Linux kernel 5.4.289, 5.10.234, 5.15.176, 6.1.124, 6.6.70, and 6.12.9. Users are advised to upgrade to these or later versions (Debian Security).