CVE-2024-49992: drm/stm: Avoid use-after-free issues with crtc and plane
First published: Mon Oct 21 2024(Updated: )
In the Linux kernel, the following vulnerability has been resolved: drm/stm: Avoid use-after-free issues with crtc and plane ltdc_load() calls functions drm_crtc_init_with_planes(), drm_universal_plane_init() and drm_encoder_init(). These functions should not be called with parameters allocated with devm_kzalloc() to avoid use-after-free issues [1]. Use allocations managed by the DRM framework. Found by Linux Verification Center (linuxtesting.org). [1] https://lore.kernel.org/lkml/u366i76e3qhh3ra5oxrtngjtm2u5lterkekcz6y2jkndhuxzli@diujon4h7qwb/
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux kernel | <6.1.113 | |
| Linux kernel | >=6.2<6.6.55 | |
| Linux kernel | >=6.7<6.10.14 | |
| Linux kernel | >=6.11<6.11.3 | |
| Linux Kernel | <6.1.113 | |
| Linux Kernel | >=6.2<6.6.55 | |
| Linux Kernel | >=6.7<6.10.14 | |
| Linux Kernel | >=6.11<6.11.3 | |
| debian/linux | <=5.10.223-1<=5.10.234-1 | 6.1.129-1 6.1.128-1 6.12.21-1 |
| debian/linux-6.1 | 6.1.129-1~deb11u1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/stable/c/d02611ff001454358be6910cb926799e2d818716
- https://git.kernel.org/stable/c/0a1741d10da29aa84955ef89ae9a03c4b6038657
- https://git.kernel.org/stable/c/454e5d7e671946698af0f201e48469e5ddb42851
- https://git.kernel.org/stable/c/b22eec4b57d04befa90e8554ede34e6c67257606
- https://git.kernel.org/stable/c/19dd9780b7ac673be95bf6fd6892a184c9db611f
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49992
- https://nvd.nist.gov/vuln/detail/CVE-2024-49992
- https://launchpad.net/bugs/cve/CVE-2024-49992
- https://security-tracker.debian.org/tracker/CVE-2024-49992
- https://ubuntu.com/security/CVE-2024-49992
- https://git.kernel.org/linus/19dd9780b7ac673be95bf6fd6892a184c9db611f
Frequently Asked Questions
What is the severity of CVE-2024-49992?
The severity of CVE-2024-49992 is classified as medium due to its potential impact on use-after-free vulnerabilities in the Linux kernel.
How do I fix CVE-2024-49992?
To fix CVE-2024-49992, users should upgrade to a patched version of the Linux kernel that addresses this vulnerability.
Which versions of the Linux kernel are affected by CVE-2024-49992?
CVE-2024-49992 affects Linux kernel versions prior to 6.1.113 and between specific ranges, namely from 6.2 to 6.6.55, from 6.7 to 6.10.14, and from 6.11 to 6.11.3.
What are the implications of CVE-2024-49992 for Linux users?
The implications for Linux users include potential exploitation risks that could lead to stability issues and unauthorized access.
Is there a workaround for CVE-2024-49992 if I cannot upgrade?
There are no official workarounds for CVE-2024-49992, so upgrading to a secure version is highly recommended.
- agent/title
- agent/first-publish-date
- agent/type
- agent/author
- agent/remedy
- agent/severity
- agent/weakness
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/usn-cve
- source/Ubuntu
- collector/launchpad-cve
- source/Launchpad
- agent/references
- agent/source
- agent/tags
- agent/description
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-cve
- agent/softwarecombine
- collector/security-tracker-debian
- source/Debian
- agent/event
- vendor/linux
- canonical/linux kernel
- version/linux kernel/6.2
- version/linux kernel/6.7
- version/linux kernel/6.11
- package-manager/debian