CVE-2024-46849: 
Linux Kernel vulnerability analysis and mitigation

A use-after-free vulnerability was discovered in the Linux kernel's ASoC (ALSA System on Chip) Meson audio driver, specifically in the axg-card component. The vulnerability was identified on September 27, 2024, and tracked as CVE-2024-46849. The issue occurs when the buffer 'card->dailink' is reallocated in the 'mesoncardreallocatelinks()' function, leading to potential memory corruption (NVD).

The vulnerability is caused by improper handling of memory reallocation in the axg-card driver. Specifically, the 'pad' pointer initialization occurs before memory reallocation, leading to a use-after-free condition when accessing the reallocated memory. The issue was detected by the Kernel Address Sanitizer (KASAN) which reported a slab-use-after-free error in the axgcardadd_link function. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH), with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability could allow an attacker with local access to cause memory corruption, potentially leading to privilege escalation, information disclosure, or system crashes. The high CVSS score indicates that successful exploitation could result in a complete compromise of system confidentiality, integrity, and availability (NVD).

The vulnerability has been fixed by moving the 'pad' pointer initialization after the memory reallocation function. Multiple Linux distributions have released patches to address this issue. Ubuntu has released fixes for various kernel versions including 5.15.0-127.137 for Ubuntu 22.04 LTS and 5.4.0-208.228 for Ubuntu 20.04 LTS (Ubuntu).