CVE-2024-53075: 
Linux Debian vulnerability analysis and mitigation

In the Linux kernel, a vulnerability (CVE-2024-53075) was discovered in the RISC-V architecture's cache initialization code. The issue involves a bad reference count on CPU nodes when populating cache leaves. The vulnerability was disclosed on November 19, 2024, affecting Linux kernel versions from 6.11 through 6.11.7, including various release candidates of version 6.12 (NVD).

The vulnerability occurs in the cache initialization process where the CPU device node is fetched at the beginning of the operation. When ACPI is enabled, the code follows a specific branch that returns early without calling 'ofnodeput' for the acquired node. Additionally, the function lacked error checking when acquiring the device node. The issue has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD, Kernel Patch).

The vulnerability results in a bad reference count of the CPU device node, which could potentially lead to memory management issues and system instability. The impact is primarily focused on availability, with no direct impact on confidentiality or integrity of the system (NVD).

The vulnerability has been patched by moving the initialization of the CPU device node past the ACPI block, ensuring proper 'ofnodeput' call execution. Additionally, error checking has been added when acquiring the device node. Users should upgrade to Linux kernel version 6.11.7 or later which contains the fix (Kernel Patch).