CVE-2024-49860: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-49860 affects the Linux kernel's ACPI sysfs interface. The vulnerability was discovered in the _STR method implementation where only buffer objects are valid return values. The issue affects Linux kernel versions from 3.7 up to versions before 5.10.227, 5.15.168, 6.1.113, 6.6.54, and 6.11.2. This vulnerability was disclosed on October 21, 2024 (NVD).

The vulnerability exists in the ACPI sysfs interface where the STR method's return type validation was insufficient. The issue occurs in the descriptionshow() function which could access invalid memory if a non-buffer object is returned. The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (HIGH) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H. It is classified as CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') (NVD).

If exploited, this vulnerability could lead to access of invalid memory when non-buffer objects are returned by the _STR method, potentially resulting in high confidentiality and availability impacts (NVD).

The vulnerability has been fixed by modifying the ACPI sysfs interface to properly validate the return type of the STR method using acpievaluateobjecttyped() with ACPITYPEBUFFER parameter. The fix has been implemented in various Linux kernel versions through patches (Kernel Patch).