CVE-2024-58002: media: uvcvideo: Remove dangling pointers
First published: Thu Feb 27 2025(Updated: )
In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Remove dangling pointers When an async control is written, we copy a pointer to the file handle that started the operation. That pointer will be used when the device is done. Which could be anytime in the future. If the user closes that file descriptor, its structure will be freed, and there will be one dangling pointer per pending async control, that the driver will try to use. Clean all the dangling pointers during release(). To avoid adding a performance penalty in the most common case (no async operation), a counter has been introduced with some logic to make sure that it is properly handled.
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux Kernel | ||
| Linux Kernel | >=4.19<6.6.80 | |
| Linux Kernel | >=6.7<6.12.14 | |
| Linux Kernel | >=6.13<6.13.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/stable/c/ac18d781466252cd35a3e311e0a4b264260fd927
- https://git.kernel.org/stable/c/4dbaa738c583a0e947803c69e8996e88cf98d971
- https://git.kernel.org/stable/c/438bda062b2c40ddd7df23b932e29ffe0a448cac
- https://git.kernel.org/stable/c/9edc7d25f7e49c33a1ce7a5ffadea2222065516c
- https://git.kernel.org/stable/c/221cd51efe4565501a3dbf04cc011b537dcce7fb
- https://git.kernel.org/stable/c/117f7a2975baa4b7d702d3f4830d5a4ebd0c6d50
- https://git.kernel.org/stable/c/2a29413ace64627e178fd422dd8a5d95219a2c0b
- https://git.kernel.org/stable/c/653993f46861f2971e95e9a0e36a34b49dec542c
Frequently Asked Questions
What is the severity of CVE-2024-58002?
CVE-2024-58002 has been categorized with a medium severity due to potential risk associated with dangling pointers in the Linux kernel.
How do I fix CVE-2024-58002?
To fix CVE-2024-58002, upgrade to the latest version of the Linux kernel that addresses this vulnerability.
Which Linux kernel versions are affected by CVE-2024-58002?
CVE-2024-58002 affects Linux kernel versions between 4.19 and 6.6.80, as well as specific versions within the 6.7 to 6.12.14 range.
What type of vulnerability is CVE-2024-58002?
CVE-2024-58002 is a memory management vulnerability related to dangling pointers in the Linux kernel's uvcvideo module.
When was CVE-2024-58002 disclosed?
CVE-2024-58002 was disclosed following the identification of an issue in the Linux kernel regarding async control operations.
- agent/first-publish-date
- agent/type
- agent/title
- agent/author
- agent/source
- agent/description
- agent/severity
- agent/weakness
- agent/remedy
- agent/softwarecombine
- agent/event
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/references
- agent/tags
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/guess-ai
- agent/software-canonical-lookup-request
- vendor/linux
- canonical/linux kernel
- version/linux kernel/4.19
- version/linux kernel/6.7
- version/linux kernel/6.13