{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-35921","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-05-17T13:50:33.124Z","datePublished":"2024-05-19T10:10:33.053Z","dateUpdated":"2025-05-04T09:08:25.668Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T09:08:25.668Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: mediatek: vcodec: Fix oops when HEVC init fails\n\nThe stateless HEVC decoder saves the instance pointer in the context\nregardless if the initialization worked or not. This caused a use after\nfree, when the pointer is freed in case of a failure in the deinit\nfunction.\nOnly store the instance pointer when the initialization was successful,\nto solve this issue.\n\n Hardware name: Acer Tomato (rev3 - 4) board (DT)\n pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : vcodec_vpu_send_msg+0x4c/0x190 [mtk_vcodec_dec]\n lr : vcodec_send_ap_ipi+0x78/0x170 [mtk_vcodec_dec]\n sp : ffff80008750bc20\n x29: ffff80008750bc20 x28: ffff1299f6d70000 x27: 0000000000000000\n x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000\n x23: ffff80008750bc98 x22: 000000000000a003 x21: ffffd45c4cfae000\n x20: 0000000000000010 x19: ffff1299fd668310 x18: 000000000000001a\n x17: 000000040044ffff x16: ffffd45cb15dc648 x15: 0000000000000000\n x14: ffff1299c08da1c0 x13: ffffd45cb1f87a10 x12: ffffd45cb2f5fe80\n x11: 0000000000000001 x10: 0000000000001b30 x9 : ffffd45c4d12b488\n x8 : 1fffe25339380d81 x7 : 0000000000000001 x6 : ffff1299c9c06c00\n x5 : 0000000000000132 x4 : 0000000000000000 x3 : 0000000000000000\n x2 : 0000000000000010 x1 : ffff80008750bc98 x0 : 0000000000000000\n Call trace:\n  vcodec_vpu_send_msg+0x4c/0x190 [mtk_vcodec_dec]\n  vcodec_send_ap_ipi+0x78/0x170 [mtk_vcodec_dec]\n  vpu_dec_deinit+0x1c/0x30 [mtk_vcodec_dec]\n  vdec_hevc_slice_deinit+0x30/0x98 [mtk_vcodec_dec]\n  vdec_if_deinit+0x38/0x68 [mtk_vcodec_dec]\n  mtk_vcodec_dec_release+0x20/0x40 [mtk_vcodec_dec]\n  fops_vcodec_release+0x64/0x118 [mtk_vcodec_dec]\n  v4l2_release+0x7c/0x100\n  __fput+0x80/0x2d8\n  __fput_sync+0x58/0x70\n  __arm64_sys_close+0x40/0x90\n  invoke_syscall+0x50/0x128\n  el0_svc_common.constprop.0+0x48/0xf0\n  do_el0_svc+0x24/0x38\n  el0_svc+0x38/0xd8\n  el0t_64_sync_handler+0xc0/0xc8\n  el0t_64_sync+0x1a8/0x1b0\n Code: d503201f f9401660 b900127f b900227f (f9400400)"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_hevc_req_multi_if.c"],"versions":[{"version":"2674486aac7d9c95ceb77daf7c30f862d4295c1c","lessThan":"ec25fc3c2c1e8958a51abcfed614f81446d918c4","status":"affected","versionType":"git"},{"version":"2674486aac7d9c95ceb77daf7c30f862d4295c1c","lessThan":"521ce0ea7418298d754494fe53263c23c4c78a8e","status":"affected","versionType":"git"},{"version":"2674486aac7d9c95ceb77daf7c30f862d4295c1c","lessThan":"97c75ee5de060d271d80109b0c47cb6008439e5b","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_hevc_req_multi_if.c"],"versions":[{"version":"6.5","status":"affected"},{"version":"0","lessThan":"6.5","status":"unaffected","versionType":"semver"},{"version":"6.6.27","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.8.6","lessThanOrEqual":"6.8.*","status":"unaffected","versionType":"semver"},{"version":"6.9","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.5","versionEndExcluding":"6.6.27"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.5","versionEndExcluding":"6.8.6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.5","versionEndExcluding":"6.9"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/ec25fc3c2c1e8958a51abcfed614f81446d918c4"},{"url":"https://git.kernel.org/stable/c/521ce0ea7418298d754494fe53263c23c4c78a8e"},{"url":"https://git.kernel.org/stable/c/97c75ee5de060d271d80109b0c47cb6008439e5b"}],"title":"media: mediatek: vcodec: Fix oops when HEVC init fails","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CISA ADP Vulnrichment","metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2024-35921","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2024-05-29T18:19:45.547100Z"}}}],"providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-06-04T17:34:06.409Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T03:21:49.035Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/ec25fc3c2c1e8958a51abcfed614f81446d918c4","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/521ce0ea7418298d754494fe53263c23c4c78a8e","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/97c75ee5de060d271d80109b0c47cb6008439e5b","tags":["x_transferred"]}]}]}}