CVE-2024-46842

Summary

CVE-2024-46842 is a vulnerability affecting the Linux kernel's lpfc driver. The issue lies in the handling of mailbox timeouts in the lpfc_get_sfp_info function. When LPFC encounters a mailbox timeout, it unconditionally frees submitted mailbox commands. However, if firmware returns SFP information at a later time, it references previously freed memory, leading to a use-after-free vulnerability. This issue is resolved by adding checks for the MBX_TIMEOUT return code and delaying the freeing of resources until firmware completes the mailbox at a later time. Additionally, the timeout is increased from 30 to 60 seconds to accommodate longer boot scripts.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.