CVE-2024-46833: 
Linux Debian vulnerability analysis and mitigation

CVE-2024-46833 affects the Linux kernel's Hisilicon Network (hns3) driver. The vulnerability was discovered and disclosed on September 27, 2024, and involves an array out-of-bounds issue in the SSU (System Service Unit) register information query functionality. The vulnerability affects Linux kernel versions up to (excluding) 6.10.10 and specific release candidates of version 6.11 (rc1, rc2, rc3) (NVD).

The vulnerability occurs in the hns3 driver's SSU register information query function where a loop iterates tnl_num times. The issue arises because tnl_num is received from hardware while the target array has a fixed size (HCLGE_MOD_MSG_PARA_ARRAY_MAX_SIZE). Without proper bounds checking, this could lead to an array out-of-bounds condition. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local access requirements but high impact potential (NVD).

The vulnerability could allow an attacker to cause an array out-of-bounds condition in the Linux kernel's hns3 driver, potentially leading to memory corruption. Given the CVSS score and vector, successful exploitation could result in high impacts on confidentiality, integrity, and availability of the affected system (NVD).

A fix has been implemented that adds proper bounds checking by using the min() function to ensure the loop count doesn't exceed the array's maximum size (HCLGE_MOD_MSG_PARA_ARRAY_MAX_SIZE). The patch has been merged into the Linux kernel (Kernel Patch).