CVE-2024-46868: 
Linux Debian vulnerability analysis and mitigation

CVE-2024-46868 affects the Linux kernel's Qualcomm UEFI Secure Application firmware component. The vulnerability was discovered in the qcuefi_acquire() function where a potential deadlock condition exists. The issue affects Linux kernel versions from 6.7 up to (excluding) 6.10.11, as well as version 6.11 release candidates (rc1 through rc7). The vulnerability was disclosed on September 27, 2024 (NVD).

The vulnerability stems from a deadlock condition in the qcuefi_acquire() function within the Qualcomm UEFI Secure Application firmware component. If the __qcuefi pointer is not set, the original code would maintain the lock, potentially causing a deadlock if an attempt was made to set it later. The issue has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local access requirements and potential high impact on availability (NVD).

The vulnerability primarily affects system availability due to the potential deadlock condition. With a CVSS score emphasizing high availability impact (A:H), the bug could lead to system hangs or unresponsiveness in affected components, particularly when interacting with the Qualcomm UEFI Secure Application firmware interface (NVD).

The vulnerability has been fixed by dropping the lock on the error path in the qcuefi_acquire() function. The fix has been implemented in the Linux kernel through a patch that modifies the drivers/firmware/qcom/qcom_qseecom_uefisecapp.c file. Users should update to patched versions of the kernel. Ubuntu has released fixes for various kernel versions including 6.8.0-50.51 for Ubuntu 24.04 LTS (Kernel Patch, Ubuntu).