CVE-2024-56650: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-56650 affects the Linux kernel's netfilter subsystem, specifically in the LED trigger target functionality. The vulnerability was discovered by Syzbot and reported on December 27, 2024. It affects Linux kernel versions from 2.6.30 up to versions before 5.4.287, 5.10.231, 5.15.174, 6.1.120, and other versions in between (NVD).

The vulnerability is a slab-out-of-bounds read issue in the LED ID check function (ledtgcheck). The bug occurs when an invalid byte sequence without a null terminator is passed from userspace, leading to a buffer overflow when the string length is calculated. The CVSS v3.1 base score is 7.1 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H. The issue was classified as CWE-125 (Out-of-bounds Read) (NVD).

The vulnerability can lead to an out-of-bounds read in the kernel's memory space, potentially allowing an attacker to read sensitive information from kernel memory. The CVSS score indicates high potential impact on confidentiality and availability, though no impact on integrity (NVD).

The vulnerability has been patched in the Linux kernel. The fix involves adding an extra check to ensure that invalid byte sequences are rejected as possible IDs before being passed to 'kstrdup()'. The patch has been backported to multiple stable kernel versions (Kernel Patch).