CVE-2024-49871

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.6.58

Description: The issue is related to a NULL pointer dereference in the Linux kernel, specifically in the adp5589-keys input module. The problem occurs because i2c set clientdata() is set at the end of the probe function, which can lead to a NULL pointer dereference if the probe function fails early. This is due to the devm action calling adp5589 clear config() and passing the i2c client as an argument to get the device object using i2c get clientdata().

Recommendations: For versions prior to 6.6.58, update to version 6.6.58 or later to resolve the issue. As a temporary workaround, consider disabling the adp5589 clear config() function until a patch is available. Restrict access to the vulnerable adp5589-keys module to minimize the risk of exploitation. Avoid using the i2c client variable in the affected API endpoint until the issue is resolved.