UBUNTU-CVE-2023-52491

Advisory lineage Upstream: 1 Downstream: 11
Upstream
CVE-2023-52491
Published: 11 Mar 2024, 18:15
Last modified:20 May 2026, 16:14

Vulnerability Summary

Overall Risk (default)
medium
31/100
CVSS Score
7.8 HIGH
3.1 (osv_ubuntu)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

11 Mar 2024, 18:15
Published
Vulnerability first disclosed
20 May 2026, 16:14
Last Modified
Vulnerability information updated

Description

In the Linux kernel, the following vulnerability has been resolved: media: mtk-jpeg: Fix use after free bug due to error path handling in mtk_jpeg_dec_device_run In mtk_jpeg_probe, &jpeg->job_timeout_work is bound with mtk_jpeg_job_timeout_work. In mtk_jpeg_dec_device_run, if error happens in mtk_jpeg_set_dec_dst, it will finally start the worker while mark the job as finished by invoking v4l2_m2m_job_finish. There are two methods to trigger the bug. If we remove the module, it which will call mtk_jpeg_remove to make cleanup. The possible sequence is as follows, which will cause a use-after-free bug. CPU0 CPU1 mtk_jpeg_dec_... | start worker | |mtk_jpeg_job_timeout_work mtk_jpeg_remove | v4l2_m2m_release | kfree(m2m_dev); | | | v4l2_m2m_get_curr_priv | m2m_dev->curr_ctx //use If we close the file descriptor, which will call mtk_jpeg_release, it will have a similar sequence. Fix this bug by starting timeout worker only if started jpegdec worker successfully. Then v4l2_m2m_job_finish will only be called in either mtk_jpeg_job_timeout_work or mtk_jpeg_dec_device_run.

CVSS Metrics

  • v3.1HIGHScore: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Systems

  • ubuntulinux

    < 5.15.0-106.116

  • ubuntulinux-allwinner-5.19

    all

  • ubuntulinux-aws

    < 5.15.0-1061.67

  • ubuntulinux-aws-5.0

    all

  • ubuntulinux-aws-5.11

    all

  • ubuntulinux-aws-5.13

    all

  • ubuntulinux-aws-5.15

    < 5.15.0-1061.67~20.04.1

  • ubuntulinux-aws-5.19

    all

  • ubuntulinux-aws-5.3

    all

  • ubuntulinux-aws-5.8

    all

  • ubuntulinux-aws-6.2

    all

  • ubuntulinux-aws-6.5

    all

  • ubuntulinux-aws-fips

    all | < 5.15.0-1061.67+fips1

  • ubuntulinux-azure

    all | < 5.15.0-1063.72

  • ubuntulinux-azure-5.11

    all

  • ubuntulinux-azure-5.13

    all

  • ubuntulinux-azure-5.15

    < 5.15.0-1063.72~20.04.1

  • ubuntulinux-azure-5.19

    all

  • ubuntulinux-azure-5.3

    all

  • ubuntulinux-azure-5.8

    all

  • ubuntulinux-azure-6.2

    all

  • ubuntulinux-azure-6.5

    < 6.5.0-1022.23~22.04.1

  • ubuntulinux-azure-edge

    all

  • ubuntulinux-azure-fde

    all | < 5.15.0-1063.72.1 | all

  • ubuntulinux-azure-fde-5.19

    all

  • ubuntulinux-azure-fde-6.2

    all

  • ubuntulinux-azure-fde-6.8

    all

  • ubuntulinux-azure-fips

    all | < 5.15.0-1063.72+fips1

  • ubuntulinux-bluefield

    < 5.15.0-1043.45 | < 5.15.0-1043.45

  • ubuntulinux-fips

    all | < 5.15.0-106.116+fips1

  • ubuntulinux-gcp

    all | < 5.15.0-1059.67

  • ubuntulinux-gcp-5.11

    all

  • ubuntulinux-gcp-5.13

    all

  • ubuntulinux-gcp-5.15

    < 5.15.0-1059.67~20.04.1

  • ubuntulinux-gcp-5.19

    all

  • ubuntulinux-gcp-5.3

    all

  • ubuntulinux-gcp-5.8

    all

  • ubuntulinux-gcp-6.2

    all

  • ubuntulinux-gcp-6.5

    < 6.5.0-1022.24~22.04.1

  • ubuntulinux-gcp-fips

    all | < 5.15.0-1059.67+fips1

  • ubuntulinux-gke

    all | < 5.15.0-1058.63

  • ubuntulinux-gke-4.15

    all

  • ubuntulinux-gke-5.15

    all

  • ubuntulinux-gke-5.4

    all

  • ubuntulinux-gkeop

    < 5.15.0-1044.51

  • ubuntulinux-gkeop-5.15

    < 5.15.0-1044.51~20.04.1

  • ubuntulinux-gkeop-5.4

    all

  • ubuntulinux-hwe

    all

  • ubuntulinux-hwe-5.11

    all

  • ubuntulinux-hwe-5.13

    all

Showing first 50 affected entries in server-rendered view.

References (22)