CVE-2020-36785: 
Linux Kernel vulnerability analysis and mitigation

CVE-2020-36785 is a vulnerability in the Linux kernel's media subsystem, specifically in the AtomISP driver. The vulnerability was disclosed on February 28, 2024, and affects Linux kernel versions from 5.8 through 5.10.37, 5.11 through 5.11.21, and 5.12 through 5.12.4. The issue involves a use-after-free condition in the atomispalloccssstatbufs() function (NVD).

The vulnerability occurs when the 's3abuf' is freed along with all other items on the 'asd->s3astats' list, leading to both a double free and a use-after-free condition. The issue was identified in the atomispalloccssstatbufs() function of the AtomISP driver. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High), with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability can lead to memory corruption through double free and use-after-free conditions, potentially allowing an attacker to execute code, cause a denial of service, or gain elevated privileges on affected systems. The high CVSS score indicates significant potential impact on system confidentiality, integrity, and availability (NVD).

The vulnerability has been fixed through a patch that removes the premature freeing of the s3a_buf. The fix is included in Linux kernel versions 5.10.37, 5.11.21, and 5.12.4 and later. Users should upgrade to these or newer kernel versions to mitigate the vulnerability (Kernel Patch).