CVE-2024-49895: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-49895 affects the Linux kernel's DCN30 color management module, specifically in the cm3_helper_translate_curve_to_degamma_hw_format function. The vulnerability was discovered and reported by the smatch static analysis tool, with the initial disclosure on October 21, 2024. The issue affects multiple versions of the Linux kernel up to versions 5.10.227, 5.15.168, 6.1.113, 6.6.55, 6.10.14, and 6.11.3 (NVD).

The vulnerability is an index out of bounds issue in the DCN30 color management module where the index 'i' could exceed the number of transfer function points (TRANSFERFUNCPOINTS). This could lead to buffer overflow conditions in the output transfer function points for red, green, and blue color channels. The CVSS v3.1 base score is 7.8 (HIGH) with a vector string of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-129 (Improper Validation of Array Index) (NVD).

The vulnerability could potentially lead to buffer overflow conditions affecting the color management functionality in AMD graphics drivers. If exploited, it could result in system crashes, potential privilege escalation, or unauthorized code execution with local access (NVD).

A fix has been implemented that adds a bounds check to ensure the index 'i' is within the valid range before accessing the transfer function points. If 'i' exceeds TRANSFERFUNCPOINTS, the function returns false to indicate an error. The fix has been merged into various kernel versions and is available through system updates (Kernel Patch).