// For flags

CVE-2024-38411

Use After Free in Computer Vision

Severity Score

6.6
*CVSS v3.1

Exploit Likelihood

< 1%
*EPSS

Affected Versions

18
*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

Memory corruption while registering a buffer from user-space to kernel-space using IOCTL calls.

In the function msm_cvp_map_buf_wncc (reachable from the EVA_KMD_REGISTER_BUFFER ioctl), after cbuf is created and fully initialized, it is unconditionally added to the linked list inst->cvpwnccbufs.list. msm_cvp_map_buf_wncc then tries to add an entry for the buffer to inst->cvpwnccbufs_table. This can fail if there are already 2400 entries in the table, in which case it is necessary to unwind all initialization performed so far and free cbuf. However the cbuf is NOT removed from inst->cvpwnccbufs.list before being destroyed, leaving a dangling linked list entry in inst->cvpwnccbufs.list in this failure case. This leads directly to a use-after-free condition the next time inst->cvpwnccbufs.list is used.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
Low
Authentication
Single
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-06-16 CVE Reserved
  • 2025-02-03 CVE Published
  • 2025-02-03 CVE Updated
  • 2025-03-06 First Exploit
  • 2025-04-12 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-416: Use After Free
CAPEC
Affected Vendors, Products, and Versions (18)