{"id":"CVE-2024-49924","summary":"fbdev: pxafb: Fix possible use after free in pxafb_task()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: pxafb: Fix possible use after free in pxafb_task()\n\nIn the pxafb_probe function, it calls the pxafb_init_fbinfo function,\nafter which &fbi-\u003etask is associated with pxafb_task. Moreover,\nwithin this pxafb_init_fbinfo function, the pxafb_blank function\nwithin the &pxafb_ops struct is capable of scheduling work.\n\nIf we remove the module which will call pxafb_remove to make cleanup,\nit will call unregister_framebuffer function which can call\ndo_unregister_framebuffer to free fbi-\u003efb through\nput_fb_info(fb_info), while the work mentioned above will be used.\nThe sequence of operations that may lead to a UAF bug is as follows:\n\nCPU0 CPU1\n\n | pxafb_task\npxafb_remove |\nunregister_framebuffer(info) |\ndo_unregister_framebuffer(fb_info) |\nput_fb_info(fb_info) |\n// free fbi-\u003efb | set_ctrlr_state(fbi, state)\n | __pxafb_lcd_power(fbi, 0)\n | fbi-\u003elcd_power(on, &fbi-\u003efb.var)\n | //use fbi-\u003efb\n\nFix it by ensuring that the work is canceled before proceeding\nwith the cleanup in pxafb_remove.\n\nNote that only root user can remove the driver at runtime.","modified":"2026-04-16T04:37:48.572119536Z","published":"2024-10-21T18:01:49.076Z","related":["SUSE-SU-2024:4315-1","SUSE-SU-2024:4364-1","SUSE-SU-2024:4376-1","SUSE-SU-2025:01919-1","SUSE-SU-2025:01951-1","SUSE-SU-2025:01967-1","SUSE-SU-2025:1177-1","SUSE-SU-2025:1178-1","SUSE-SU-2025:1180-1","SUSE-SU-2025:20190-1","SUSE-SU-2025:20192-1","SUSE-SU-2025:20260-1","SUSE-SU-2025:20270-1","USN-7276-1","USN-7277-1","openSUSE-SU-2024:14500-1","openSUSE-SU-2025:14705-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/49xxx/CVE-2024-49924.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/3c0d416eb4bef705f699213cee94bf54b6acdacd"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4a6921095eb04a900e0000da83d9475eb958e61e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4cda484e584be34d55ee17436ebf7ad11922b97a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6d0a07f68b66269e167def6c0b90a219cd3e7473"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a3a855764dbacbdb1cc51e15dc588f2d21c93e0e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/aaadc0cb05c999ccd8898a03298b7e5c31509b08"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e657fa2df4429f3805a9b3e47fb1a4a1b02a72bd"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e6897e299f57b103e999e62010b88e363b3eebae"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fdda354f60a576d52dcf90351254714681df4370"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/49xxx/CVE-2024-49924.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-49924"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"9f17f2874834f4cdbe48cc05676d8f7558793204"},{"fixed":"e657fa2df4429f3805a9b3e47fb1a4a1b02a72bd"},{"fixed":"6d0a07f68b66269e167def6c0b90a219cd3e7473"},{"fixed":"e6897e299f57b103e999e62010b88e363b3eebae"},{"fixed":"4cda484e584be34d55ee17436ebf7ad11922b97a"},{"fixed":"3c0d416eb4bef705f699213cee94bf54b6acdacd"},{"fixed":"fdda354f60a576d52dcf90351254714681df4370"},{"fixed":"aaadc0cb05c999ccd8898a03298b7e5c31509b08"},{"fixed":"a3a855764dbacbdb1cc51e15dc588f2d21c93e0e"},{"fixed":"4a6921095eb04a900e0000da83d9475eb958e61e"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-49924.json"}}],"schema_version":"1.7.5"}