AZL-53166

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-53166.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-53166

Upstream

CVE-2024-50240

Published

2024-11-09T11:15:09Z

Modified

2026-04-01T05:17:58.819890Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

CVE-2024-50240 affecting package kernel for versions less than 6.6.64.2-1

Details

In the Linux kernel, the following vulnerability has been resolved:

phy: qcom: qmp-usb: fix NULL-deref on runtime suspend

Commit 413db06c05e7 ("phy: qcom-qmp-usb: clean up probe initialisation") removed most users of the platform device driver data, but mistakenly also removed the initialisation despite the data still being used in the runtime PM callbacks.

Restore the driver data initialisation at probe to avoid a NULL-pointer dereference on runtime suspend.

Apparently no one uses runtime PM, which currently needs to be enabled manually through sysfs, with this driver.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-50240

Affected packages

Azure Linux:3 / kernel

Package

Name: kernel
Purl: pkg:rpm/azure-linux/kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.6.64.2-1

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-53166.json"