CVE-2024-43829: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-43829 affects the Linux kernel's QXL display driver. The vulnerability was discovered in August 2024 and involves a missing check for the return value of drmcvtmode() function, which could lead to a NULL pointer dereference. The affected versions include Linux kernel from 5.1 up to (excluding) 6.1.103, from 6.2 up to (excluding) 6.6.44, and from 6.7 up to (excluding) 6.10.3 (NVD).

The vulnerability exists in the QXL (QEMU QXL paravirtual graphics card) display driver where the drmcvtmode() function's return value is not properly checked. The issue stems from the qxladdmode helper function, which was introduced in commit 1b043677d4be. The function fails to verify if drmcvtmode() returns NULL, potentially leading to a NULL pointer dereference when attempting to access the returned mode structure (Kernel Patch). The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to a denial of service condition through a system crash when the NULL pointer dereference is triggered. This affects systems running the vulnerable versions of the Linux kernel with the QXL display driver enabled (NVD).

The vulnerability has been fixed by adding a check for the return value of drmcvtmode() and returning an error if it fails. The fix has been backported to multiple stable kernel versions. Users should update their Linux kernel to versions 6.1.103 or later, 6.6.44 or later, or 6.10.3 or later. Ubuntu has released patches for affected versions in their repositories (Ubuntu Security).