CVE-2024-47754: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-47754 affects the Linux kernel's MediaTek video codec driver, specifically the H264 multi stateless decoder component. The vulnerability was discovered in October 2024 and involves a NULL pointer dereference issue in the vdech264reqmultiif.c file. The affected versions include Linux kernel versions from 5.19 up to (excluding) 6.6.54, from 6.7 up to (excluding) 6.10.13, and from 6.11 up to (excluding) 6.11.2 (NVD).

The vulnerability stems from a smatch static checker warning in the vdech264reqmultiif.c file, where a NULL pointer dereference can occur when the frame buffer (fb) is NULL. The issue was introduced in commit 397edc703a10 which added the h264 decoder driver for mt8186. The vulnerability has a CVSS v3.1 base score of 5.5 (Medium), with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

When exploited, this vulnerability leads to a kernel crash when the frame buffer is NULL, potentially causing a denial of service condition on affected systems. The impact is limited to availability with no direct effects on confidentiality or integrity (NVD).

The vulnerability has been patched in the Linux kernel. The fix includes proper NULL pointer checking before accessing the frame buffer and returning an appropriate error code (-ENOMEM) when the buffer is NULL. The patch has been backported to affected stable kernel versions. Users should update to Linux kernel versions 6.6.54, 6.10.13, or 6.11.2 or later to address this vulnerability (Kernel Patch).