CVE-2024-49891
📋 TL;DR
A NULL pointer dereference vulnerability in the Linux kernel's lpfc SCSI driver allows local attackers to cause kernel crashes or denial of service. This affects systems using Emulex LightPulse Fibre Channel HBAs with vulnerable kernel versions. The vulnerability occurs during HBA reset or errata handling when freed pointers are accessed.
💻 Affected Systems
- Linux kernel with lpfc driver
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, potentially causing data loss or service disruption.
Likely Case
System crash or kernel panic requiring reboot, causing temporary service interruption.
If Mitigated
Minimal impact with proper access controls preventing local attackers from triggering the condition.
🎯 Exploit Status
Requires local access and ability to trigger HBA reset or errata conditions. No public exploit code identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patched in stable kernel trees via commits: 232a138bd843d48cb2368f604646d990db7640f3, 2be1d4f11944cd6283cb97268b3e17c4424945ca, 5873aa7f814754085d418848b2089ef406a02dd0, 99a801e2fca39a6f31e543fc3383058a8955896f, fd665c8dbdb19548965b0ae80c490de00e906366
Vendor Advisory: https://git.kernel.org/stable/c/232a138bd843d48cb2368f604646d990db7640f3
Restart Required: Yes
Instructions:
1. Update to a patched kernel version from your distribution vendor. 2. Rebuild kernel if using custom kernel. 3. Reboot system to load patched kernel.
🔧 Temporary Workarounds
Restrict local access
linuxLimit local user access to systems with vulnerable lpfc driver
Disable lpfc module
linuxRemove or blacklist lpfc kernel module if Fibre Channel HBAs are not required
echo 'blacklist lpfc' >> /etc/modprobe.d/blacklist.conf
rmmod lpfc
🧯 If You Can't Patch
- Implement strict access controls to prevent unauthorized local users from accessing affected systems
- Monitor system logs for kernel panic events and implement failover/redundancy for critical services
🔍 How to Verify
Check if Vulnerable:
Check kernel version and lpfc driver version. Vulnerable if using unpatched kernel with lpfc driver loaded.Check Version:
uname -r && modinfo lpfc | grep versionVerify Fix Applied:
Verify kernel version includes the patch commits or check with distribution vendor for patched kernel version.📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages
- NULL pointer dereference errors in kernel logs
- System crash/reboot events
Network Indicators:
- Sudden loss of connectivity to storage systems using Fibre Channel
SIEM Query:
source="kernel" AND ("NULL pointer dereference" OR "kernel panic" OR "Oops") AND "lpfc"🔗 References
- https://git.kernel.org/stable/c/232a138bd843d48cb2368f604646d990db7640f3
- https://git.kernel.org/stable/c/2be1d4f11944cd6283cb97268b3e17c4424945ca
- https://git.kernel.org/stable/c/5873aa7f814754085d418848b2089ef406a02dd0
- https://git.kernel.org/stable/c/99a801e2fca39a6f31e543fc3383058a8955896f
- https://git.kernel.org/stable/c/fd665c8dbdb19548965b0ae80c490de00e906366
- https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html
