CVE-2024-38547: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-38547 is a vulnerability in the Linux kernel's media subsystem, specifically in the atomisp driver's sshcss component. The vulnerability was discovered and disclosed on June 19, 2024, affecting Linux kernel versions from 4.12 up to versions before 5.10.219, 5.15.161, 6.1.93, 6.6.33, 6.8.12, and 6.9.3. The issue involves a null-pointer dereference vulnerability in the loadvideo_binaries function (NVD).

The vulnerability stems from a null-pointer dereference in the loadvideobinaries function within the atomisp driver. The issue occurs when mycs->yuvscalerbinary allocation fails, followed by an attempt to dereference the null pointer through the call chain: shcsspipeloadbinaries() -> loadvideobinaries() -> shcsspipeunloadbinaries() -> unloadvideobinaries(). The CVSS v3.1 base score is 5.5 (Medium), with a vector of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to a system crash due to the null-pointer dereference, potentially causing a denial of service condition. The CVSS scoring indicates that while the vulnerability requires local access and cannot lead to information disclosure or integrity compromise, it can cause high availability impact to the affected system (NVD).

The vulnerability has been patched in the Linux kernel. The fix involves properly handling the allocation failure case by setting mycs->numyuvscaler to 0 before returning the error. Multiple stable kernel versions have received the fix, including versions 5.10.219, 5.15.161, 6.1.93, 6.6.33, 6.8.12, and 6.9.3 (Kernel Patch).