This blog discusses how a mishandled vulnerability in the Linux kernel’s MDS mitigation resulted in information leakage and KASLR defeats. The article details the impact, affected kernels, and downstream distributions, such as Debian and SUSE. The fix proposed by Brad Spengler is outlined, along with the quick turnaround from report to upstream acknowledgment. The blog also criticizes the handling of the CVE by the Linux CNA, raising concerns about automation, errors in assigning the CVE year, and identifying fixes rather than vulnerabilities. The controversy surrounding the Linux CNA’s practices and impact on the CVE ecosystem is highlighted as well.
https://grsecurity.net/cve-2021-4440_linux_cna_case_study