CVE-2024-46822: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-46822 affects the Linux kernel's ARM64 ACPI implementation, specifically in the get_cpu_for_acpi_id() function. The vulnerability was discovered during a review of vCPU hotplug support changes and was disclosed on September 27, 2024. The issue affects multiple versions of the Linux kernel, including versions up to 5.4.284, 5.10.226, 5.15.167, 6.1.110, 6.6.51, and 6.10.10 (NVD).

The vulnerability stems from improper handling of CPU entries in the get_cpu_for_acpi_id() function. When an MPIDR check fails in acpi_map_gic_cpu_interface(), it can result in cpu_madt_gicc[cpu] being NULL, potentially leading to a NULL pointer dereference. The issue has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local access requirements and potential high impact on availability (NVD).

If exploited, this vulnerability could lead to a NULL pointer dereference, potentially resulting in a denial of service condition through a system crash. The impact is primarily focused on system availability, with no direct impact on confidentiality or integrity (NVD).

The vulnerability has been patched by hardening the get_cpu_for_acpi_id() function to check for valid CPU entries before accessing them. The fix involves adding an additional check using acpi_cpu_get_madt_gicc(cpu) before attempting to access the CPU ID. Users should update to the patched versions of the Linux kernel (Kernel Patch).