CVE-2024-42313: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-42313 is a use-after-free vulnerability discovered in the Linux kernel's media subsystem, specifically in the Venus video decoder component. The vulnerability was disclosed on August 17, 2024, and affects Linux kernel versions from 4.13 through 6.10.3. The issue occurs in the vdec_close function where buffer release work can be added to the work queue through HFI callbacks during normal decoding operations (NVD).

The vulnerability stems from improper handling of buffer release work in the work queue through HFI callbacks during the decoder device closure. When a user randomly closes the decoder device from userspace during normal decoding operations, it can lead to a use-after-free condition for the instance. The issue has been assigned a CVSS v3.1 base score of 7.8 (High), with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local access requirements but high potential impact (NVD).

The vulnerability could allow an attacker with local access to potentially execute arbitrary code or cause a denial of service condition. The high CVSS score reflects the potential for complete compromise of confidentiality, integrity, and availability of the affected system if successfully exploited (NVD).

The vulnerability has been fixed by adding a call to cancelworksync() for the delayedprocesswork in the vdec_close function. The fix has been implemented across multiple kernel versions and is available through various distribution updates. Ubuntu has released patches for affected versions, including 22.04 LTS, 20.04 LTS, and others (Ubuntu). Users are advised to update their systems to the patched versions.