#VU100623 NULL pointer dereference in Linux kernel - CVE-2024-50273

Vulnerability identifier: #VU100623

Vulnerability risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-50273

CWE-ID: CWE-476

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the insert_delayed_ref() function in fs/btrfs/delayed-ref.c. A local user can perform a denial of service (DoS) attack.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Linux kernel: All versions

---

External links
https://git.kernel.org/stable/c/2fd0948a483e9cb2d669c7199bc620a21c97673d
https://git.kernel.org/stable/c/93c5b8decc0ef39ba84f4211d2db6da0a4aefbeb
https://git.kernel.org/stable/c/bf0b0c6d159767c0d1c21f793950d78486690ee0
https://git.kernel.org/stable/c/c24fa427fc0ae827b2a3a07f13738cbf82c3f851
https://git.kernel.org/stable/c/2cb1a73d1d44a1c11b0ee5eeced765dd80ec48e6
https://git.kernel.org/stable/c/f04be6d68f715c1473a8422fc0460f57b5e99931
https://git.kernel.org/stable/c/50a3933760b427759afdd23156a7280a19357a92
https://git.kernel.org/stable/c/c9a75ec45f1111ef530ab186c2a7684d0a0c9245

---

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.