CVE-2024-57927: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-57927 is a vulnerability in the Linux kernel's NFS (Network File System) implementation, specifically in the nfsnetfsinit_request() function when copying data to cache. The vulnerability was discovered and disclosed on January 19, 2025. It affects Linux kernel versions from 6.12 up to (excluding) 6.12.10, as well as various 6.13 release candidates (rc1 through rc6) (NVD).

The vulnerability occurs when netfslib attempts to copy data read on behalf of NFS. During this process, it creates a new write request and calls nfsnetfsinitrequest() to initialize it with a NULL file pointer, which causes nfsfileopencontext() to crash. The issue has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified as CWE-476 (NULL Pointer Dereference) (NVD, Red Hat).

The vulnerability can lead to a system crash (oops) when attempting to perform specific NFS operations involving cache copying. The CVSS scoring indicates that while there is no impact on confidentiality or integrity, there is a high impact on system availability due to the potential for system crashes (NVD).

The vulnerability has been fixed in Linux kernel version 6.12.10 and later. The fix involves modifying nfsnetfsinitrequest() to return safely when no file pointer is provided and adding a warning for non-cache-copy requests. Additionally, nfsnetfsfreerequest() was modified to check for NULL pointers before attempting to free the context (Kernel Patch).