CVE-2024-41028: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-41028 affects the Linux kernel's platform/x86 toshibaacpi driver. The vulnerability was discovered in July 2024 and involves an array out-of-bounds access issue in the toshibadmi_quirks[] array. The vulnerability affects Linux kernel versions from 6.1 through 6.9.10, including various release candidates of version 6.10 (NVD).

The vulnerability stems from a missing empty entry terminator in the toshibadmiquirks[] array when used with standard DMI matching functions. This missing terminator causes an array out-of-bounds access every time the quirk list is processed. The issue was introduced by commit 3cb1f40dfdc3 which added functionality to call HCIPANELPOWER_ON on resume for certain models. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability could potentially lead to privilege escalation, denial of service, or information leaks due to the array out-of-bounds access in the kernel's Toshiba ACPI driver (Debian).

The vulnerability has been fixed by adding a terminating empty entry to the toshibadmiquirks[] array. The fix has been implemented in various Linux distributions, including Ubuntu 24.04 LTS (noble) with kernel version 6.8.0-48.48 and Debian 11 with linux-6.1 version 6.1.119-1~deb11u1. Users are advised to update their systems to the patched versions (Ubuntu).