CVE-2024-58054

CVE-2024-58054 is a vulnerability in the Linux kernel's staging/media/max96712 driver that causes a kernel oops during module removal. The issue arises because v4l2_i2c_subdev_init() calls i2c_set_clientdata(), overwriting the client data pointer to point to the subdevice structure (sd) instead of the private data (priv). Consequently, during module removal via max96712_remove(), an incorrect pointer is passed to v4l2_async_unregister_subdev(), resulting in a paging fault and kernel crash, as evidenced by the provided stack trace showing a data abort at led_put() with a invalid virtual address.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N). By executing rmmod on the max96712 module—typically after it has been loaded—the attacker triggers the kernel oops, leading to a denial of service due to system instability (A:H). The CVSS v3.1 base score of 7.1 also rates confidentiality impact as high (C:H), potentially allowing memory disclosure through the crash dump, though integrity impact is none (I:N).

Mitigation involves applying upstream kernel patches, as detailed in the referenced stable commit fixes: 1556b9149b81cc549c13f5e56e81e89404d8a666, 278a98f6d8a7bbe1110433b057333536e4490edf, 3311c5395e7322298b659b8addc704b39fb3a59c, dfde3d63afbaae664c4d36e53cfb4045d5374561, and ee1b5046d5cd892a0754ab982aeaaad3702083a5. These commits resolve the pointer overwrite in the max96712 driver for affected kernel versions.