#VU90146 Use-after-free in Linux kernel


Vulnerability identifier: #VU90146

Vulnerability risk: Low

CVSSv3.1: 7.7 [AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-35932

CWE-ID: CWE-416

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the vc4_prepare_fb() and vc4_cleanup_fb() functions in drivers/gpu/drm/vc4/vc4_plane.c. A local user can escalate privileges on the system.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Linux kernel:

External links
http://git.kernel.org/stable/c/48bfb4b03c5ff6e1fa1dc73fb915e150b0968c40
http://git.kernel.org/stable/c/d6b2fe2db1d0927b2d7df5c763eba55d0e1def3c
http://git.kernel.org/stable/c/5343f724c912c77541029123f47ecd3d2ea63bdd
http://git.kernel.org/stable/c/5ee0d47dcf33efd8950b347dcf4d20bab12a3fa9

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


SUSE update for the Linux Kernel
Ubuntu update for linux-oracle
Ubuntu update for linux-aws
Ubuntu update for linux-gke
Ubuntu update for linux
SUSE update for the Linux Kernel
SUSE update for the Linux Kernel
SUSE update for the Linux Kernel
SUSE update for the Linux Kernel
SUSE update for the Linux Kernel