CVE-2024-47682: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-47682 is an off-by-one error vulnerability discovered in the Linux kernel's SCSI subsystem. The vulnerability affects the sdreadblock_characteristics() function in the SCSI disk driver when handling VPD page 0xb1 responses. The issue was identified and fixed in September 2024, affecting Linux kernel versions from 5.19 through 6.11.2 (NVD).

The vulnerability occurs in the sdreadblock_characteristics() function within the SCSI disk driver (sd.c). When a device returns page 0xb1 with length 8 (which happens with QEMU v2.x), the function may attempt an out-of-bounds memory access when accessing the zoned field at offset 8. The issue stems from an incorrect boundary check where vpd->len < 8 was used instead of vpd->len <= 8. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability could lead to out-of-bounds memory access, potentially resulting in system crashes, information leaks, or privilege escalation. The issue occurs during system boot or disk installation when the disk is seen for the first time (Kernel Patch).

The vulnerability has been fixed in multiple Linux kernel versions. The fix involves correcting the boundary check condition from 'vpd->len < 8' to 'vpd->len <= 8' in the sdreadblock_characteristics() function. Users should upgrade to Linux kernel versions 6.1.113 or later, 6.6.54 or later, 6.10.13 or later, or 6.11.2 or later (NVD).