[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-DEBIAN-CVE-2024-43900":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-04T08:53:30.047Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":11,"aliases":12,"duplicate_of":9,"upstream":13,"downstream":16,"duplicates":19,"related":20,"reserved_at":9,"published_at":21,"modified_at":22,"state":9,"summary":23,"references_raw":25,"kevs":32,"epss":9,"epss_history":33,"metrics":34,"affected":41},"DEBIAN-CVE-2024-43900","In the Linux kernel, the following vulnerability has been resolved:  media: xc2028: avoid use-after-free in load_firmware_cb()  syzkaller reported use-after-free in load_firmware_cb() [1]. The reason is because the module allocated a struct tuner in tuner_probe(), and then the module initialization failed, the struct tuner was released. A worker which created during module initialization accesses this struct tuner later, it caused use-after-free.  The process is as follows:  task-6504           worker_thread tuner_probe                             \u003C= alloc dvb_frontend [2] ... request_firmware_nowait                 \u003C= create a worker ... tuner_remove                            \u003C= free dvb_frontend ...                     request_firmware_work_func  \u003C= the firmware is ready                     load_firmware_cb    \u003C= but now the dvb_frontend has been freed  To fix the issue, check the dvd_frontend in load_firmware_cb(), if it is null, report a warning and just return.  [1]:     ==================================================================      BUG: KASAN: use-after-free in load_firmware_cb+0x1310/0x17a0      Read of size 8 at addr ffff8000d7ca2308 by task kworker/2:3/6504       Call trace:       load_firmware_cb+0x1310/0x17a0       request_firmware_work_func+0x128/0x220       process_one_work+0x770/0x1824       worker_thread+0x488/0xea0       kthread+0x300/0x430       ret_from_fork+0x10/0x20       Allocated by task 6504:       kzalloc       tuner_probe+0xb0/0x1430       i2c_device_probe+0x92c/0xaf0       really_probe+0x678/0xcd0       driver_probe_device+0x280/0x370       __device_attach_driver+0x220/0x330       bus_for_each_drv+0x134/0x1c0       __device_attach+0x1f4/0x410       device_initial_probe+0x20/0x30       bus_probe_device+0x184/0x200       device_add+0x924/0x12c0       device_register+0x24/0x30       i2c_new_device+0x4e0/0xc44       v4l2_i2c_new_subdev_board+0xbc/0x290       v4l2_i2c_new_subdev+0xc8/0x104       em28xx_v4l2_init+0x1dd0/0x3770       Freed by task 6504:       kfree+0x238/0x4e4       tuner_remove+0x144/0x1c0       i2c_device_remove+0xc8/0x290       __device_release_driver+0x314/0x5fc       device_release_driver+0x30/0x44       bus_remove_device+0x244/0x490       device_del+0x350/0x900       device_unregister+0x28/0xd0       i2c_unregister_device+0x174/0x1d0       v4l2_device_unregister+0x224/0x380       em28xx_v4l2_init+0x1d90/0x3770       The buggy address belongs to the object at ffff8000d7ca2000       which belongs to the cache kmalloc-2k of size 2048      The buggy address is located 776 bytes inside of       2048-byte region [ffff8000d7ca2000, ffff8000d7ca2800)      The buggy address belongs to the page:      page:ffff7fe00035f280 count:1 mapcount:0 mapping:ffff8000c001f000 index:0x0      flags: 0x7ff800000000100(slab)      raw: 07ff800000000100 ffff7fe00049d880 0000000300000003 ffff8000c001f000      raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000      page dumped because: kasan: bad access detected       Memory state around the buggy address:       ffff8000d7ca2200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb       ffff8000d7ca2280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb      >ffff8000d7ca2300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb                            ^       ffff8000d7ca2380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb       ffff8000d7ca2400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb      ==================================================================  [2]     Actually, it is allocated for struct tuner, and dvb_frontend is inside.",null,[],[],[],[14],{"_key":15},"CVE-2024-43900",[17],{"_key":18},"DLA-4008-1",[],[],"2024-08-26T11:15:04.613Z","2026-04-28T20:28:29.201647Z",{"cisa_kev":24,"cisa_ransomware":24,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":9,"severity_score":9,"severity_version":9,"severity_source":9,"severity_vector":9,"severity_status":9},false,[26],{"url":27,"sources":28,"tags":30},"https://security-tracker.debian.org/tracker/CVE-2024-43900",[29],"osv_debian",[31],"Advisory",[],[],[35],{"source":29,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":36,"cvss_v4_0":9},{"baseScore":37,"baseSeverity":9,"vectorString":38,"impactScore":39,"exploitabilityScore":40},7.8,"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",9.8,4.6,[42,60],{"ecosystem":43,"name":44,"vendor":45,"product":44,"cpe_part":9,"purl_type":46,"purl_namespace":45,"purl_name":44,"source":9,"versions":47},"Debian","linux","debian","deb",[48,52,56,59],{"version":49,"is_range":50,"range_type":51,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"all",true,"ecosystem",{"version":53,"is_range":50,"range_type":51,"version_start":9,"version_start_type":9,"version_end":54,"version_end_type":55,"fixed_in":9},"lt6_1_106_1","6.1.106-1","excluding",{"version":57,"is_range":50,"range_type":51,"version_start":9,"version_start_type":9,"version_end":58,"version_end_type":55,"fixed_in":9},"lt6_10_6_1","6.10.6-1",{"version":57,"is_range":50,"range_type":51,"version_start":9,"version_start_type":9,"version_end":58,"version_end_type":55,"fixed_in":9},{"ecosystem":43,"name":61,"vendor":45,"product":61,"cpe_part":9,"purl_type":46,"purl_namespace":45,"purl_name":61,"source":9,"versions":62},"linux-6.1",[63],{"version":64,"is_range":50,"range_type":51,"version_start":9,"version_start_type":9,"version_end":65,"version_end_type":55,"fixed_in":9},"lt6_1_119_1~deb11u1","6.1.119-1~deb11u1"]