CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-58003: media: i2c: ds90ub9x3: Fix extra fwnode_handle_put()

Description

In the Linux kernel, the following vulnerability has been resolved:

media: i2c: ds90ub9x3: Fix extra fwnode_handle_put()

The ub913 and ub953 drivers call fwnode_handle_put(priv->sd.fwnode) as
part of their remove process, and if the driver is removed multiple
times, eventually leads to put "overflow", possibly causing memory
corruption or crash.

The fwnode_handle_put() is a leftover from commit 905f88ccebb1 ("media:
i2c: ds90ub9x3: Fix sub-device matching"), which changed the code
related to the sd.fwnode, but missed removing these fwnode_handle_put()
calls.

Classification

CVE ID: CVE-2024-58003

Affected Products

Vendor: Linux, Linux

Product: Linux, Linux

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 4.16% (scored less or equal to compared to others)

EPSS Date: 2025-03-27 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2024-58003
https://git.kernel.org/stable/c/474d7baf91d37bc411fa60de5bbf03c9dd82e18a
https://git.kernel.org/stable/c/f4e4373322f8d4c19721831f7fb989e52d30dab0
https://git.kernel.org/stable/c/70743d6a8b256225675711e7983825f1be86062d
https://git.kernel.org/stable/c/60b45ece41c5632a3a3274115a401cb244180646

Timeline

2025-02-27 03:40:23 UTC
CVE

media: i2c: ds90ub9x3: Fix extra fwnode_handle_put()