CVE-2024-49924

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-49924

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-49924.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-49924

Downstream

BELL-CVE-2024-49924

DEBIAN-CVE-2024-49924

DLA-4008-1

OESA-2024-2367

OESA-2024-2368

OESA-2024-2369

OESA-2024-2370

OESA-2024-2371

SUSE-SU-2024:4315-1

SUSE-SU-2024:4364-1

SUSE-SU-2024:4376-1

SUSE-SU-2025:01919-1

SUSE-SU-2025:01951-1

SUSE-SU-2025:01967-1

SUSE-SU-2025:1177-1

SUSE-SU-2025:1178-1

SUSE-SU-2025:1180-1

openSUSE-SU-2024:14500-1

openSUSE-SU-2025:14705-1

Related

Published

2024-10-21T18:15:14Z

Modified

2025-08-09T20:01:26Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved:

fbdev: pxafb: Fix possible use after free in pxafb_task()

In the pxafbprobe function, it calls the pxafbinitfbinfo function, after which &fbi->task is associated with pxafbtask. Moreover, within this pxafbinitfbinfo function, the pxafbblank function within the &pxafbops struct is capable of scheduling work.

If we remove the module which will call pxafbremove to make cleanup, it will call unregisterframebuffer function which can call dounregisterframebuffer to free fbi->fb through putfbinfo(fb_info), while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows:

CPU0 CPU1

                               | pxafb_task

pxafbremove | unregisterframebuffer(info) | dounregisterframebuffer(fbinfo) | putfbinfo(fbinfo) | // free fbi->fb | setctrlrstate(fbi, state) | _pxafblcdpower(fbi, 0) | fbi->lcdpower(on, &fbi->fb.var) | //use fbi->fb

Fix it by ensuring that the work is canceled before proceeding with the cleanup in pxafb_remove.

Note that only root user can remove the driver at runtime.

References

Affected packages