NULL pointer dereference in Linux kernel video fbdev driver

1) NULL pointer dereference

EUVDB-ID: #VU104652

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-47652

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the ufx_usb_probe() function in drivers/video/fbdev/smscufx.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Linux kernel: All versions

CPE2.3

• cpe:2.3:o:linux_foundation:linux_kernel:*:*:*:*:*:*:*:*

External links

https://git.kernel.org/stable/c/0fd28daec73525382e5c992db8743bf76e42cd5c
https://git.kernel.org/stable/c/1791f487f877a9e83d81c8677bd3e7b259e7cb27
https://git.kernel.org/stable/c/64ec3e678d76419f207b9cdd338dda438ca10b1c
https://git.kernel.org/stable/c/9280ef235b05e8f19f8bc6d547b992f0a0ef398d
https://git.kernel.org/stable/c/c420b540db4b5d69de0a36d8b9d9a6a79a04f05a
https://git.kernel.org/stable/c/d1b6a1f0c23b7164250479bf92e2893291dca539
https://git.kernel.org/stable/c/d396c651e2b508b6179bb678cc029f3becbf5170
https://git.kernel.org/stable/c/da8b269cc0a2526ebeaccbe2484c999eb0f822cf
https://git.kernel.org/stable/c/dd3a6cc7385b89ec2303f39dfc3bafa4e24cec4b

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.