CVE-2024-39473: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-39473 affects the Linux kernel's ASoC (ALSA System on Chip) SOF (Sound Open Firmware) subsystem. The vulnerability was discovered in the ipc4-topology component, specifically related to process modules without base extension. The issue was disclosed on July 5, 2024, and affects Linux kernel versions up to 6.4 and versions from 6.6 up to 6.6.34, as well as versions from 6.9 up to 6.9.5 (NVD).

The vulnerability is caused by a NULL pointer dereference in the ipc4-topology component when handling process modules without base extension. Specifically, if a process module does not have base config extension, the same format applies to all of its inputs and the process->baseconfigext is NULL, which can cause a NULL dereference when specifically crafted topology and sequences are used. The issue has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD, Kernel Patch).

The vulnerability can lead to a denial of service condition through system crash when exploited. The impact is limited to availability, with no direct impact on confidentiality or integrity of the system (NVD).

The vulnerability has been fixed in the Linux kernel through a patch that adds a check for process modules without base config extension. The fix has been backported to various stable kernel versions. Ubuntu has released updates for affected versions, including 24.04 LTS (noble) with kernel version 6.8.0-44.44 (Ubuntu Security).