CVE-2023-52491

Advisory lineage Upstream: 0 Downstream: 15

Downstream

DEBIAN-CVE-2023-52491 DLA-3842-1 DSA-5681-1 UBUNTU-CVE-2023-52491 USN-6766-1 USN-6766-2

Analyzed

Published: 29 Feb 2024, 15:52

Last modified:11 May 2026, 19:28

Vulnerability Summary

Overall Risk (default)

medium

31/100

CVSS Score

7.8 HIGH

v3.1 (nvd)

EPSS Score

0.02% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

29 Feb 2024, 15:52

Published

Vulnerability first disclosed

11 May 2026, 19:28

Last Modified

Vulnerability information updated

Description

In the Linux kernel, the following vulnerability has been resolved: media: mtk-jpeg: Fix use after free bug due to error path handling in mtk_jpeg_dec_device_run In mtk_jpeg_probe, &jpeg->job_timeout_work is bound with mtk_jpeg_job_timeout_work. In mtk_jpeg_dec_device_run, if error happens in mtk_jpeg_set_dec_dst, it will finally start the worker while mark the job as finished by invoking v4l2_m2m_job_finish. There are two methods to trigger the bug. If we remove the module, it which will call mtk_jpeg_remove to make cleanup. The possible sequence is as follows, which will cause a use-after-free bug. CPU0 CPU1 mtk_jpeg_dec_... | start worker | |mtk_jpeg_job_timeout_work mtk_jpeg_remove | v4l2_m2m_release | kfree(m2m_dev); | | | v4l2_m2m_get_curr_priv | m2m_dev->curr_ctx //use If we close the file descriptor, which will call mtk_jpeg_release, it will have a similar sequence. Fix this bug by starting timeout worker only if started jpegdec worker successfully. Then v4l2_m2m_job_finish will only be called in either mtk_jpeg_job_timeout_work or mtk_jpeg_dec_device_run.

CVSS Metrics

v3.1•HIGH•Score: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 0.02%• Percentile: 4%

Techniques & Countermeasures

CWE-416•Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Affected Systems

linux•linux
≥ b2f0d2724ba477d326e9d654d4db1c93e98f8b93, < 43872f44eee6c6781fea1348b38885d8e78face9 | ≥ b2f0d2724ba477d326e9d654d4db1c93e98f8b93, < 1b1036c60a37a30caf6759a90fe5ecd06ec35590 | ≥ b2f0d2724ba477d326e9d654d4db1c93e98f8b93, < 9fec4db7fff54d9b0306a332bab31eac47eeb5f6 | ≥ b2f0d2724ba477d326e9d654d4db1c93e98f8b93, < 8254d54d00eb6cdb8367399c7f912eb8d354ecd7 | ≥ b2f0d2724ba477d326e9d654d4db1c93e98f8b93, < 6e2f37022f0fc0893da4d85a0500c9d547fffd4c | ≥ b2f0d2724ba477d326e9d654d4db1c93e98f8b93, < 206c857dd17d4d026de85866f1b5f0969f2a109e | 4.12
linux•linux_kernel
≥ 4.12, < 5.10.210 | ≥ 5.11, < 5.15.149 | ≥ 5.16, < 6.1.76 | ≥ 6.2, < 6.6.15 | ≥ 6.7, < 6.7.3