CVE-2024-27043

media: edia: dvbdev: fix a use-after-free

Severity Score

5.2

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: media: edia: dvbdev: fix a use-after-free In dvb_register_device, *pdvbdev is set equal to dvbdev, which is freed
in several error-handling paths. However, *pdvbdev is not set to NULL
after dvbdev's deallocation, causing use-after-frees in many places,
for example, in the following call chain: budget_register |-> dvb_dmxdev_init |-> dvb_register_device |-> dvb_dmxdev_release |-> dvb_unregister_device |-> dvb_remove_device |-> dvb_device_put |-> kref_put When calling dvb_unregister_device, dmxdev->dvbdev (i.e. *pdvbdev in
dvb_register_device) could point to memory that had been freed in
dvb_register_device. Thereafter, this pointer is transferred to
kref_put and triggering a use-after-free.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: medios: edia: dvbdev: corregir un use-after-free En dvb_register_device, *pdvbdev se establece igual a dvbdev, que se libera en varias rutas de manejo de errores. Sin embargo, *pdvbdev no se establece en NULL después de la desasignación de dvbdev, lo que provoca use-after-free en muchos lugares, por ejemplo, en la siguiente cadena de llamadas: Budget_register |-> dvb_dmxdev_init |-> dvb_register_device |-> dvb_dmxdev_release |-> dvb_unregister_device | -> dvb_remove_device |-> dvb_device_put |-> kref_put Al llamar a dvb_unregister_device, dmxdev->dvbdev (es decir, *pdvbdev en dvb_register_device) podría apuntar a la memoria que se había liberado en dvb_register_device. A partir de entonces, este puntero se transfiere a kref_put y se activa un use-after-free.

In the Linux kernel, the following vulnerability has been resolved: media: edia: dvbdev: fix a use-after-free In dvb_register_device, *pdvbdev is set equal to dvbdev, which is freed in several error-handling paths. However, *pdvbdev is not set to NULL after dvbdev's deallocation, causing use-after-frees in many places, for example, in the following call chain: budget_register |-> dvb_dmxdev_init |-> dvb_register_device |-> dvb_dmxdev_release |-> dvb_unregister_device |-> dvb_remove_device |-> dvb_device_put |-> kref_put When calling dvb_unregister_device, dmxdev->dvbdev (i.e. *pdvbdev in dvb_register_device) could point to memory that had been freed in dvb_register_device. Thereafter, this pointer is transferred to kref_put and triggering a use-after-free.

Ziming Zhang discovered that the DRM driver for VMware Virtual GPU did not properly handle certain error conditions, leading to a NULL pointer dereference. A local attacker could possibly trigger this vulnerability to cause a denial of service. Zheng Wang discovered that the Broadcom FullMAC WLAN driver in the Linux kernel contained a race condition during device removal, leading to a use- after-free vulnerability. A physically proximate attacker could possibly use this to cause a denial of service.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-19 CVE Reserved
2024-05-01 CVE Published
2024-12-19 CVE Updated
2025-03-18 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (14)

URL	Tag	Source
https://git.kernel.org/stable/c/b61901024776b25ce7b8edc31bb1757c7382a88e	Vuln. Introduced
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/d0f5c28333822f9baa5280d813124920720fd856	2024-03-26
https://git.kernel.org/stable/c/f20c3270f3ed5aa6919a87e4de9bf6c05fb57086	2024-03-26
https://git.kernel.org/stable/c/096237039d00c839f3e3a5fe6d001bf0db45b644	2024-03-26
https://git.kernel.org/stable/c/0d3fe80b6d175c220b3e252efc6c6777e700e98e	2024-03-26
https://git.kernel.org/stable/c/437a111f79a2f5b2a5f21e27fdec6f40c8768712	2024-03-26
https://git.kernel.org/stable/c/779e8db7efb22316c8581d6c229636d2f5694a62	2024-03-26
https://git.kernel.org/stable/c/35674111a043b0482a9bc69da8850a83f465b07d	2024-03-26
https://git.kernel.org/stable/c/b7586e902128e4fb7bfbb661cb52e4215a65637b	2024-03-26
https://git.kernel.org/stable/c/8c64f4cdf4e6cc5682c52523713af8c39c94e6d5	2024-02-07

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-27043	2024-11-26
https://bugzilla.redhat.com/show_bug.cgi?id=2278445	2024-11-26

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.21 < 4.19.311 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.21 < 4.19.311"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.21 < 5.4.273 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.21 < 5.4.273"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.21 < 5.10.214 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.21 < 5.10.214"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.21 < 5.15.153 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.21 < 5.15.153"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.21 < 6.1.83 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.21 < 6.1.83"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.21 < 6.6.23 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.21 < 6.6.23"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.21 < 6.7.11 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.21 < 6.7.11"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.21 < 6.8.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.21 < 6.8.2"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.21 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.21 < 6.9"		en		Affected