CVE-2024-49990: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-49990 affects the Linux kernel's DRM (Direct Rendering Manager) subsystem, specifically in the XE graphics driver's HDCP (High-bandwidth Digital Content Protection) functionality. The vulnerability was discovered and disclosed in October 2024, where the xe_gsc structure was found to not be properly initialized during HDCP capability checks. This issue affects Linux kernel versions up to (excluding) 6.10.14 and versions from (including) 6.11 up to (excluding) 6.11.3 (NVD).

The vulnerability stems from a missing validation check in the drm/xe/hdcp GSC (Graphics Security Controller) structure. When performing HDCP capability checks, the xe_gsc structure could be accessed without proper initialization, potentially leading to null pointer dereference errors. The issue has been assigned a CVSS v3.1 Base Score of 5.5 (MEDIUM) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local access is required (NVD).

The vulnerability can result in system instability or crashes due to null pointer dereference when accessing uninitialized GSC structures during HDCP capability checks. This primarily affects systems using Intel XE graphics drivers with HDCP functionality (Kernel Patch).

The vulnerability has been patched in the Linux kernel by adding proper GSC structure validation checks. The fix includes adding a check for the GSC structure's validity before accessing it and implementing appropriate error handling when the structure is not initialized. The patch has been merged into the kernel codebase (Kernel Patch).