CVE-2024-50160: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-50160 affects the Linux kernel's ALSA sound system, specifically in the HDA/CS8409 driver component. The vulnerability was discovered by the Linux Verification Center (linuxtesting.org) using SVACE analysis tool and was disclosed on November 7, 2024. The issue affects Linux kernel versions from 5.15 up to (excluding) 5.15.170, from 5.16 up to (excluding) 6.1.115, from 6.2 up to (excluding) 6.6.59, and from 6.7 up to (excluding) 6.11.6 (NVD).

The vulnerability is a NULL pointer dereference issue in the Linux kernel's ALSA HDA/CS8409 driver. The bug occurs when snd_hda_gen_add_kctl fails to allocate memory and returns NULL, leading to a NULL pointer dereference in the subsequent line within the dolphin_fixups function. This function is a hda_fixup function that is not designed to handle error returns (Kernel Patch). The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to a system crash due to NULL pointer dereference, potentially causing a denial of service condition. The impact is limited to local attacks and requires local user privileges to exploit (NVD).

The vulnerability has been fixed in the Linux kernel through a patch that adds a NULL pointer check before dereferencing the kctrl pointer. The fix has been backported to affected stable kernel versions. Users should update their systems to the patched versions: 5.15.170, 6.1.115, 6.6.59, or 6.11.6 and later (Kernel Patch).