CVE-2024-57980

CVE-2024-57980 is a double-free vulnerability in the Linux kernel's uvcvideo driver, which supports USB Video Class (UVC) devices such as webcams. The flaw arises in the error path of the uvc_status_init() function: if allocation of the int_urb fails, the function frees the dev->status pointer without resetting it to NULL. This results in a subsequent kfree() call in uvc_status_cleanup() attempting to double-free the same memory, as tracked under CWE-415.

The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable by a local attacker with low privileges and low complexity, requiring no user interaction and running with unchanged scope. Successful exploitation could allow the attacker to achieve high impacts on confidentiality, integrity, and availability, potentially leading to memory corruption, kernel crashes, or privilege escalation.

Mitigation involves applying patches merged into Linux kernel stable trees, as detailed in the following commit references: https://git.kernel.org/stable/c/3ba8884a56a3eb97c22f0ce0e4dd410d4ca4c277, https://git.kernel.org/stable/c/6c36dcd662ec5276782838660f8533a7cb26be49, https://git.kernel.org/stable/c/87522ef165e5b6de8ef98cc318f3335166a1512c, https://git.kernel.org/stable/c/9232719ac9ce4d5c213cebda23d72aec3e1c4c0d, and https://git.kernel.org/stable/c/c6ef3a7fa97ec823a1e1af9085cf13db9f7b3bac. The fix resets the dev->status pointer to NULL after freeing it in the error path. Security practitioners should ensure systems with UVC devices update to patched kernel versions promptly.