CVE-2024-50105: 
Linux Debian vulnerability analysis and mitigation

CVE-2024-50105 affects the Linux kernel's ASoC (ALSA System on Chip) Qualcomm SC7280 sound card driver. The vulnerability was discovered when commit 15c7fab0e047 moved the allocation of Soundwire stream runtime from the Qualcomm Soundwire driver to individual machine sound card drivers but failed to update the SC7280 card. The issue was disclosed on November 5, 2024, affecting Linux kernel versions from 6.8 up to (excluding) 6.11.6 (NVD).

The vulnerability stems from a missing Soundwire runtime stream allocation in the SC7280 sound card driver. Like other Qualcomm sound cards using Soundwire, the card driver should allocate and release the runtime. The issue has a CVSS v3.1 base score of 5.5 (Medium) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified as a NULL Pointer Dereference (CWE-476) (NVD).

When exploited, the vulnerability results in a NULL pointer dereference or other uninitialized memory access issues during sound playback. This can lead to system crashes or denial of service conditions, particularly affecting systems using the SC7280 sound card driver (NVD).

The vulnerability has been patched in Linux kernel version 6.11.6. The fix involves updating the SC7280 card driver to properly allocate and release the Soundwire runtime stream. Users should upgrade to the patched version to mitigate the vulnerability (Ubuntu Security).