CVE-2024-45008: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-45008 affects the Linux kernel's input subsystem, specifically the Multi-Touch (MT) input handling functionality. The vulnerability was discovered when syzbot reported a potential large memory allocation issue in the input_mt_init_slots() function, where num_slots parameter is supplied from userspace through the ioctl(UI_DEV_CREATE) interface. The issue was disclosed and patched in July 2024 (Kernel Git).

The vulnerability exists in the input_mt_init_slots() function of the Linux kernel's input subsystem. The function accepts a num_slots parameter from userspace through an ioctl call (UI_DEV_CREATE) without proper bounds checking, potentially leading to excessive memory allocation. The fix implements an arbitrary limit of 1024 slots to prevent large memory allocations (Kernel Git).

The vulnerability could allow an attacker to trigger large memory allocations through the input subsystem, potentially leading to resource exhaustion or system instability. The issue affects various Linux distributions including Ubuntu and Debian (Ubuntu Security, Debian Tracker).

The vulnerability has been patched in multiple Linux kernel versions. Ubuntu has released fixes for versions 24.04 LTS (6.8.0-50.51), 22.04 LTS (5.15.0-125.135), and 20.04 LTS (5.4.0-200.220). Debian has also released fixes for bullseye (5.10.234-1) and bookworm (6.1.128-1) (Ubuntu Security, Debian Tracker).