CVE-2024-35992: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-35992 is a vulnerability discovered in the Linux kernel affecting the Marvell A3700 COMPHY driver. The vulnerability was identified by the Linux Verification Center (linuxtesting.org) using SVACE tool and was disclosed on May 20, 2024. The issue affects Linux kernel versions from 5.18 up to (excluding) 6.1.90, from 6.2 up to (excluding) 6.6.30, and from 6.7 up to (excluding) 6.8.9 (NVD).

The vulnerability is an out-of-bounds read issue in the Marvell A3700 COMPHY driver. Specifically, there is an out-of-bounds read access of 'gbephyinitfix[fixidx].addr' that occurs every iteration after 'fixidx' reaches 'ARRAYSIZE(gbephyinit_fix)'. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability could lead to a potential denial of service condition through an out-of-bounds read in the affected Linux kernel versions. The CVSS score indicates that while the vulnerability requires local access and low privileges, it could have a high impact on system availability (NVD).

The vulnerability has been fixed in the Linux kernel through a patch that ensures 'gbephyinit[addr]' is used when all elements of 'gbephyinit_fix' array are handled. The fix has been implemented in various kernel versions including 6.8.0-39.39 for Ubuntu 24.04 LTS and other distribution-specific kernel versions (Kernel Patch).