CVE-2024-56578: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-56578 is a vulnerability in the Linux kernel's imx-jpeg driver discovered in December 2024. The issue occurs when video drvdata is set after the video device is registered, which can cause video_drvdata() to return NULL in the open() file operations, leading to a system oops. This vulnerability affects Linux kernel versions from 5.13 up to versions before 5.15.174, 6.1.120, 6.6.64, and 6.12.4 (NVD).

The vulnerability stems from an incorrect ordering of operations in the imx-jpeg driver's probe function. The video_set_drvdata() call was incorrectly placed after the video device registration, which could result in a NULL pointer dereference during device operations. The issue was fixed by moving the video_set_drvdata(jpeg->dec_vdev, jpeg) call before the video device registration. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can cause a system oops (kernel panic) when attempting to open the affected video device, potentially leading to system instability or denial of service. The impact is limited to local attacks and requires local user privileges to exploit (NVD).

The vulnerability has been patched in the Linux kernel. The fix involves reordering the video_set_drvdata() call to occur before video device registration. Users should update to kernel versions 5.15.174, 6.1.120, 6.6.64, or 6.12.4 or later to address this vulnerability (Kernel Patch).