CVE-2024-26599: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-26599 is a vulnerability discovered in the Linux kernel's PWM (Pulse Width Modulation) subsystem, specifically in the of_pwm_single_xlate() function. The vulnerability was reported on February 23, 2024, and involves an out-of-bounds access issue. The affected versions include Linux kernel from version 5.17 up to (excluding) 6.1.75, versions from 6.2.0 up to (excluding) 6.6.14, and versions from 6.7.0 up to (excluding) 6.7.2 (NVD).

The vulnerability stems from an incorrect array access in the of_pwm_single_xlate() function within the PWM subsystem. When args->args_count equals 2, the code incorrectly attempts to access args->args[2], which is out of bounds. The flags are actually contained in args->args[1]. This issue was introduced in commit 3ab7b6ac5d82 which implemented the single-PWM of_xlate function. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The out-of-bounds access vulnerability could potentially lead to memory corruption, which may result in system crashes, information disclosure, or privilege escalation in the Linux kernel. The high CVSS score indicates that successful exploitation could have significant impacts on system confidentiality, integrity, and availability (NVD).

The vulnerability has been fixed in multiple Linux kernel versions. The fix involves correcting the array access to use args->args[1] instead of args->args[2]. Fixed versions include Linux kernel 6.1.75, 6.6.14, and 6.7.2. Users are advised to upgrade to these or later versions. The patch has been backported to various stable kernel branches (Kernel Git).