CVE-2024-50103: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-50103 is a NULL pointer dereference vulnerability discovered in the Linux kernel's ASoC (ALSA System on Chip) Qualcomm LPASS CPU driver. The vulnerability was disclosed on November 5, 2024, and affects Linux kernel versions from 5.10 through 6.11.6. The issue exists in the asoc_qcom_lpass_cpu_platform_probe() function where a devm_kzalloc() call could return a NULL pointer without proper validation (NVD).

The vulnerability stems from a missing NULL pointer check after a devm_kzalloc() call in the asoc_qcom_lpass_cpu_platform_probe() function within the QCOM LPASS CPU driver. The function allocates memory for i2sctl regmap fields but fails to verify the allocation's success before usage. The CVSS v3.1 base score is 5.5 (Medium) with a vector string of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local access requirements and potential high impact on availability (NVD).

The vulnerability can lead to a NULL pointer dereference, which could result in a system crash or denial of service condition. The impact is primarily on system availability, with no direct effects on confidentiality or integrity. The CVSS scoring indicates high impact on availability while requiring local access (NVD).

The vulnerability has been patched by adding a NULL pointer check after the devm_kzalloc() call. The fix has been implemented across multiple kernel versions, with patches available for affected versions. The fix involves adding a simple NULL check and returning -ENOMEM if the allocation fails (Kernel Patch).