CVE-2024-43098: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-43098 is a vulnerability in the Linux kernel's I3C subsystem, discovered and disclosed on January 11, 2025. The issue affects Linux kernel versions from 5.0 up to versions before 5.4.287, 5.10.231, 5.15.174, 6.1.120, and 6.12.5. The vulnerability stems from a deadlock condition in the I3C driver implementation (NVD).

The vulnerability occurs when i3c_master_register() acquires &i3cbus->lock twice, leading to a potential deadlock scenario. The issue manifests when the lock is acquired recursively during device initialization, specifically in the i3c_device_uevent function's call to i3c_device_get_info(). The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (MEDIUM) with a vector string of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local access requirements and potential high impact on availability (NVD).

The vulnerability can result in a system deadlock, potentially causing a denial of service condition in affected Linux systems. The impact is primarily focused on system availability, with no direct effect on confidentiality or integrity (NVD).

The vulnerability has been fixed by modifying the code to use i3cdev->desc->info instead of calling i3c_device_get_info() to avoid acquiring the lock twice. Patches have been released for various Linux kernel versions, including updates to version 5.10.234-1 for Debian 11 bullseye and 6.1.128-1 for newer distributions (Debian Security).