#VU96109 Use-after-free in Linux kernel - CVE-2024-42313
Vulnerability identifier: #VU96109
Vulnerability risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID:
CWE-ID:
CWE-416
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
Linux kernel
Operating systems & Components /
Operating system
Vendor: Linux Foundation
Description
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the vdec_close() function in drivers/media/platform/qcom/venus/vdec.c. A local user can escalate privileges on the system.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Linux kernel: All versions
External links
https://git.kernel.org/stable/c/da55685247f409bf7f976cc66ba2104df75d8dad
https://git.kernel.org/stable/c/66fa52edd32cdbb675f0803b3c4da10ea19b6635
https://git.kernel.org/stable/c/6a96041659e834dc0b172dda4b2df512d63920c2
https://git.kernel.org/stable/c/a0157b5aa34eb43ec4c5510f9c260bbb03be937e
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
