CVE-2024-49935: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-49935 affects the Linux kernel's ACPI Platform Adjustment Driver (PAD). The vulnerability was discovered in the exitroundrobin() function where a crash occurs in cpumaskclearcpu() due to misaligned memory access when executing clear_bit(nr, addr) with nr set to 0xffffffff (NVD). The issue affects multiple Linux kernel versions up to 5.15.168, 6.1.113, 6.6.55, and 6.10.14 (NVD).

The vulnerability occurs in the ACPI PAD driver's exitroundrobin() function. When executing clearbit(nr, addr) with nr set to 0xffffffff, the address calculation causes misalignment within memory, leading to access to an invalid memory address. The issue manifests as a kernel crash in the cpumaskclear_cpu() function. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (MEDIUM) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can cause a denial of service condition through system crashes when the affected code path is triggered. The issue specifically impacts the kernel's ability to handle CPU mask operations in the ACPI PAD driver, potentially affecting system stability (NVD).

The vulnerability has been fixed by adding a check to ensure that tskincpu[tskindex] != -1 before calling cpumaskclearcpu() in exitroundrobin(), similar to the check already present in roundrobin_cpu(). The fix has been implemented in various kernel versions through patches (Kernel Patch).