CVE-2024-58093: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-58093 is a vulnerability in the Linux kernel related to PCI/ASPM (Active State Power Management) functionality. The vulnerability was disclosed on April 16, 2025, affecting the Linux kernel's PCI subsystem, specifically in the handling of ASPM link state management during switch upstream function removal (NVD, Debian Tracker).

The vulnerability stems from incorrect timing in freeing ASPM links during function removal. The issue occurs in two scenarios: first, when freeing the ASPM link only after the last function on the bus is removed (too late), and second, when freeing the ASPM parent link state upon any function removal (too early). This particularly affects PCIe switches with MFD (Multi-Function Device) on the upstream port, where removing functions other than function 0 first would free a link that still remains parent_link to the remaining downstream ports. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (Red Hat).

The vulnerability can result in use-after-free conditions and General Protection Faults (GPFs). These issues are particularly prevalent during hot-unplug operations, as pciehp removes devices on the link bus in reverse order (Red Hat).

The issue has been resolved by modifying the timing of ASPM link freeing to occur exactly when function 0 is removed - after all subordinate links are gone but before the parent link becomes obsolete (NVD).