CVE-2024-57939: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-57939 addresses a vulnerability in the Linux kernel's RISC-V architecture implementation, specifically in the die() function. The vulnerability was discovered and disclosed on January 21, 2025, affecting Linux kernel versions from 4.15 through various 6.x releases. The issue occurs because die() can be called in exception handler contexts where sleeping is not allowed, but it uses spinlockt which can sleep when PREEMPTRT is enabled (NVD).

The vulnerability manifests when die() is called in an exception handler context while using spinlockt with PREEMPTRT enabled. This causes an invalid sleeping context, triggering a BUG warning at kernel/locking/spinlockrt.c:48. The issue is characterized by specific conditions: inatomic():1, irqsdisabled():1, and nonblock:0. The CVSS v3.1 base score is 5.5 (MEDIUM) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to system instability when the die() function is called in exception handling contexts with PREEMPT_RT enabled. This primarily affects the availability aspect of the system, as indicated by the CVSS scoring which shows high impact on availability (A:H) but no impact on confidentiality or integrity (NVD).

The vulnerability has been fixed by switching from spinlockt to rawspinlockt, which does not sleep even with PREEMPTRT enabled. The fix has been implemented in multiple kernel versions, with patches available for affected versions. Debian has addressed this in version 6.1.128-1 for bookworm and 6.1.128-1~deb11u1 for bullseye (Debian Tracker).