CVE-2024-46698: 
Linux Kernel vulnerability analysis and mitigation

A NULL pointer dereference vulnerability was discovered in the Linux kernel's video/aperture subsystem (CVE-2024-46698). The issue occurs in the apertureremoveconflictingpcidevices() function when handling non-VGA class boot display devices. The vulnerability was discovered and patched in September 2024, affecting Linux kernel versions from 6.5 up to (excluding) 6.10.8, as well as version 6.11 release candidates (NVD).

The vulnerability stems from improper handling of sysfbdisable() calls on VGA class devices. When a non-VGA class PCI device is the boot display and is probed first, sysfbdisable() is not called, but the device resources are freed by aperturedetachplatformdevice(). Subsequently, when a non-primary GPU with VGA class is processed, it calls sysfbdisable(), resulting in a NULL pointer dereference since the resources were already freed. The issue has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD, Kernel Patch).

The vulnerability can lead to a NULL pointer dereference in the Linux kernel, potentially causing system crashes or denial of service conditions. The impact is limited to local attacks and requires local user privileges to exploit (NVD).

The issue has been fixed by modifying sysfb_disable() to accept a device pointer parameter and checking the device to determine if it should execute. The fix has been implemented in Linux kernel version 6.10.8 and later. Users should update their Linux kernel to the latest version that includes the patch (Kernel Patch).