The Linux kernel’s integrity is under scrutiny due to the discovery of a significant vulnerability – CVE-2024-24855. This flaw resides in the lpfc_unregister_fcf_rescan() function of the SCSI device driver, introducing a race condition. The vulnerability, scored 4.7 (MEDIUM) on the NIST Common Vulnerability Scoring System (CVSS), can potentially lead to a null pointer dereference issue. The severity of this flaw lies in its capacity to induce a kernel panic or trigger a denial-of-service (DoS) scenario.
According to the CVSS vector (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H), the vulnerability’s impact extends to scenarios where an attacker with local access can exploit it, heightening the risk.
The NVD Analysts have observed a discrepancy in the CVSS scores between NIST and the Common Vulnerabilities and Exposures (CVE) List. The NIST CVSS score is recorded as 4.7 (MEDIUM), while the CNA-assigned OpenAnolis score is 5.0 (MEDIUM).
Reference:
