Описание
In the Linux kernel, the following vulnerability has been resolved:
media: uvcvideo: Remove dangling pointers
When an async control is written, we copy a pointer to the file handle
that started the operation. That pointer will be used when the device is
done. Which could be anytime in the future.
If the user closes that file descriptor, its structure will be freed,
and there will be one dangling pointer per pending async control, that
the driver will try to use.
Clean all the dangling pointers during release().
To avoid adding a performance penalty in the most common case (no async
operation), a counter has been introduced with some logic to make sure
that it is properly handled.
A dangling pointer vulnerability was found in the Linux kernel. When an async control is written, a copy of a pointer is made in the file handle that started the operation. If the user closes that file descriptor, its structure will be freed and there will be one dangling pointer per pending async control that the driver will try to use, leading to denial of service of the system.
Отчет
A use after free problem was seen in uvc_ctrl_status_event in USB Video Class (UVC) driver. This flaw could allow a local normal user (which no special privilege) to crash the system at time of device closure. This vulnerability could even lead to a kernel information leak problem.
Меры по смягчению последствий
In order to mitigate this issue it is possible to prevent the affected code from being loaded by blacklisting the kernel "USB Video Class module" (uvcvideo) module . For instructions relating to how to blacklist a kernel module refer to: https://access.redhat.com/solutions/41278uvcvideoz
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | kernel | Not affected | ||
| Red Hat Enterprise Linux 7 | kernel | Not affected | ||
| Red Hat Enterprise Linux 7 | kernel-rt | Not affected | ||
| Red Hat Enterprise Linux 9 | kernel-rt | Affected | ||
| Red Hat Enterprise Linux 10 | kernel | Fixed | RHSA-2025:11428 | 21.07.2025 |
| Red Hat Enterprise Linux 8 | kernel-rt | Fixed | RHSA-2025:11299 | 16.07.2025 |
| Red Hat Enterprise Linux 8 | kernel | Fixed | RHSA-2025:11298 | 16.07.2025 |
| Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support | kernel | Fixed | RHSA-2025:13120 | 06.08.2025 |
| Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On | kernel | Fixed | RHSA-2025:13120 | 06.08.2025 |
| Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support | kernel | Fixed | RHSA-2025:13776 | 13.08.2025 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.3 High
CVSS3
Связанные уязвимости
In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Remove dangling pointers When an async control is written, we copy a pointer to the file handle that started the operation. That pointer will be used when the device is done. Which could be anytime in the future. If the user closes that file descriptor, its structure will be freed, and there will be one dangling pointer per pending async control, that the driver will try to use. Clean all the dangling pointers during release(). To avoid adding a performance penalty in the most common case (no async operation), a counter has been introduced with some logic to make sure that it is properly handled.
In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Remove dangling pointers When an async control is written, we copy a pointer to the file handle that started the operation. That pointer will be used when the device is done. Which could be anytime in the future. If the user closes that file descriptor, its structure will be freed, and there will be one dangling pointer per pending async control, that the driver will try to use. Clean all the dangling pointers during release(). To avoid adding a performance penalty in the most common case (no async operation), a counter has been introduced with some logic to make sure that it is properly handled.
In the Linux kernel, the following vulnerability has been resolved: m ...
In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Remove dangling pointers When an async control is written, we copy a pointer to the file handle that started the operation. That pointer will be used when the device is done. Which could be anytime in the future. If the user closes that file descriptor, its structure will be freed, and there will be one dangling pointer per pending async control, that the driver will try to use. Clean all the dangling pointers during release(). To avoid adding a performance penalty in the most common case (no async operation), a counter has been introduced with some logic to make sure that it is properly handled.
EPSS
7.3 High
CVSS3