CVE-2024-44936: 
Linux Debian vulnerability analysis and mitigation

CVE-2024-44936 affects the Linux kernel's power supply driver rt5033. The vulnerability was introduced when commit 3a93da231c12 reworked the driver to use devm and inadvertently dropped the i2csetclientdata call along with the remove callback. This causes a kernel oops as other parts of the driver rely on i2c clientdata (Kernel Patch, Original Fix). The vulnerability affects Linux kernel versions from 6.9 up to (excluding) 6.10.5, and release candidates 6.11-rc1 and 6.11-rc2.

The vulnerability stems from a missing i2csetclientdata() call in the rt5033 power supply driver. When the driver was updated to use devmpowersupplyregister() helper, the i2cset_clientdata call was accidentally removed. This causes a NULL pointer dereference when other parts of the driver attempt to access the client data, resulting in a kernel oops. The issue has a CVSS v3.1 base score of 5.5 MEDIUM (Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) (NVD).

When exploited, this vulnerability causes a kernel oops due to NULL pointer dereference, which can lead to a denial of service condition. The impact is limited to availability, with no direct impact on confidentiality or integrity of the system (NVD).

The vulnerability has been fixed by bringing back the i2csetclientdata call in the driver. Users should upgrade to Linux kernel version 6.10.5 or later, or avoid using the affected versions. The fix has been backported to stable kernel trees (Kernel Patch).