CVE-2024-50011: 
Linux Debian vulnerability analysis and mitigation

CVE-2024-50011 is a vulnerability in the Linux kernel's Intel ASoC (Audio System on Chip) driver, specifically in the soc-acpi-intel-rpl-match component. The issue was discovered and disclosed on October 21, 2024, affecting Linux kernel versions from 6.11 up to (excluding) 6.11.3, and version 6.12-rc1 (NVD).

The vulnerability stems from a missing empty item in the struct snd_soc_acpi_link_adr array. The issue occurs because there is no links_num in struct snd_soc_acpi_mach {}, and the code tests !link->num_adr as a condition to end the loop in hda_sdw_machine_select(). The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, and is classified as CWE-835 (Loop with Unreachable Exit Condition) (NVD).

The vulnerability primarily affects system availability. According to the CVSS metrics, while there is no impact on confidentiality or integrity, there is a high impact on availability, suggesting that successful exploitation could lead to system disruption (NVD).

The vulnerability has been fixed through a patch that adds the missing empty item to the struct snd_soc_acpi_link_adr array. The fix has been implemented in Linux kernel versions 6.11.4-1 and later. Various distributions have also released updates to address this vulnerability, including Ubuntu and Debian (Kernel Patch, Ubuntu Notice).