CVE-2024-49924

HIGH EPSS 16.1%

Published Oct 21, 20241y ago · Modified Jun 17, 20261w ago

7.8 CVSS 3.1

High

Published Oct 21, 2024 1y ago

Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: fbdev: pxafb: Fix possible use after free in pxafb_task() In the pxafb_probe function, it calls the pxafb_init_fbinfo function, after which &fbi->task is associated with pxafb_task. Moreover, within this pxafb_init_fbinfo function, the pxafb_blank function within the &pxafb_ops struct is capable of scheduling work. If we remove the module which will call pxafb_remove to make cleanup, it will call unregister_framebuffer function which can call do_unregister_framebuffer to free fbi->fb through put_fb_info(fb_info), while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | pxafb_task pxafb_remove | unregister_framebuffer(info) | do_unregister_framebuffer(fb_info) | put_fb_info(fb_info) | // free fbi->fb | set_ctrlr_state(fbi, state) | __pxafb_lcd_power(fbi, 0) | fbi->lcd_power(on, &fbi->fb.var) | //use fbi->fb Fix it by ensuring that the work is canceled before proceeding with the cleanup in pxafb_remove. Note that only root user can remove the driver at runtime.

CVSS Details

Base Score

7.8

Exploitability

1.8

Impact

5.9

Vector string

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector Local

Attack Complexity Low

Privileges Required Low

User Interaction None

Scope Unchanged

Confidentiality High

Integrity High

Availability High

Threat Intelligence

EPSS Exploit Probability

16.1% percentile

Exploit & Patch Status

No Known Exploit

Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 9

Vendor	Product	Version	Range
debian	debian_linux	11.0	any
linux	linux_kernel	*	≥2.6.27 – <4.19.323
linux	linux_kernel	*	≥4.20 – <5.4.285
linux	linux_kernel	*	≥5.5 – <5.10.227
linux	linux_kernel	*	≥5.11 – <5.15.168
linux	linux_kernel	*	≥5.16 – <6.1.113
linux	linux_kernel	*	≥6.2 – <6.6.55
linux	linux_kernel	*	≥6.7 – <6.10.14
linux	linux_kernel	*	≥6.11 – <6.11.3

References 10

git.kernel.org https://git.kernel.org/stable/c/3c0d416eb4bef705f699213cee94bf54b6acdacd

Patch
git.kernel.org https://git.kernel.org/stable/c/4a6921095eb04a900e0000da83d9475eb958e61e

Patch
git.kernel.org https://git.kernel.org/stable/c/4cda484e584be34d55ee17436ebf7ad11922b97a

Patch
git.kernel.org https://git.kernel.org/stable/c/6d0a07f68b66269e167def6c0b90a219cd3e7473

Patch
git.kernel.org https://git.kernel.org/stable/c/a3a855764dbacbdb1cc51e15dc588f2d21c93e0e

Patch
git.kernel.org https://git.kernel.org/stable/c/aaadc0cb05c999ccd8898a03298b7e5c31509b08

Patch
git.kernel.org https://git.kernel.org/stable/c/e657fa2df4429f3805a9b3e47fb1a4a1b02a72bd

Patch
git.kernel.org https://git.kernel.org/stable/c/e6897e299f57b103e999e62010b88e363b3eebae

Patch
git.kernel.org https://git.kernel.org/stable/c/fdda354f60a576d52dcf90351254714681df4370

Patch
lists.debian.org https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html

Mailing ListThird Party Advisory

Remediation

git.kernel.org https://git.kernel.org/stable/c/3c0d416eb4bef705f699213cee94bf54b6acdacd

Patch
git.kernel.org https://git.kernel.org/stable/c/4a6921095eb04a900e0000da83d9475eb958e61e

Patch
git.kernel.org https://git.kernel.org/stable/c/4cda484e584be34d55ee17436ebf7ad11922b97a

Patch
git.kernel.org https://git.kernel.org/stable/c/6d0a07f68b66269e167def6c0b90a219cd3e7473

Patch
git.kernel.org https://git.kernel.org/stable/c/a3a855764dbacbdb1cc51e15dc588f2d21c93e0e

Patch
git.kernel.org https://git.kernel.org/stable/c/aaadc0cb05c999ccd8898a03298b7e5c31509b08

Patch
git.kernel.org https://git.kernel.org/stable/c/e657fa2df4429f3805a9b3e47fb1a4a1b02a72bd

Patch
git.kernel.org https://git.kernel.org/stable/c/e6897e299f57b103e999e62010b88e363b3eebae

Patch
git.kernel.org https://git.kernel.org/stable/c/fdda354f60a576d52dcf90351254714681df4370

Patch