CVE-2024-35921 – This CVE describes a use-after-free vulnerabili... (How to Fix)

Q: What is the severity of CVE-2024-35921?

CVE-2024-35921 has a CVSS score of 7.8 (HIGH). This CVE describes a use-after-free vulnerability in the MediaTek video codec driver for the Linux kernel. When HEVC decoder initialization fails, the driver incorrectly stores a pointer that gets freed later, causing kernel crashes when accessed. This affects Linux systems with MediaTek hardware using the vulnerable driver.

📋 TL;DR

This CVE describes a use-after-free vulnerability in the MediaTek video codec driver for the Linux kernel. When HEVC decoder initialization fails, the driver incorrectly stores a pointer that gets freed later, causing kernel crashes when accessed. This affects Linux systems with MediaTek hardware using the vulnerable driver.

💻 Affected Systems

Products:

Linux kernel with MediaTek video codec driver (mtk_vcodec_dec)

Versions: Linux kernel versions with vulnerable MediaTek driver commits before fixes

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Requires MediaTek hardware with HEVC video decoding support. The vulnerability only triggers when HEVC decoder initialization fails.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash, denial of service, and potential local privilege escalation if combined with other vulnerabilities.

🟠

Likely Case

System crash or instability when video decoding fails on affected MediaTek hardware, causing denial of service.

🟢

If Mitigated

No impact if patched or if HEVC decoder initialization doesn't fail on affected systems.

🌐 Internet-Facing: LOW - This is a local kernel driver vulnerability requiring local access to trigger.

🏢 Internal Only: MEDIUM - Local users or processes could crash systems, but requires specific hardware and conditions.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and specific conditions where HEVC decoder initialization fails. The crash trace suggests it's triggered during cleanup/deinitialization.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Linux kernel with commit 521ce0ea7418298d754494fe53263c23c4c78a8e or later

Vendor Advisory: https://git.kernel.org/stable/c/521ce0ea7418298d754494fe53263c23c4c78a8e

Restart Required: Yes

Instructions:

1. Update Linux kernel to version containing the fix commit. 2. For embedded systems, update the kernel from your vendor. 3. Reboot system after kernel update.

🔧 Temporary Workarounds

Disable HEVC decoding

linux

Prevent HEVC decoder initialization by disabling HEVC support in the MediaTek driver

echo 'blacklist mtk_vcodec_dec' > /etc/modprobe.d/disable-mtk-vcodec.conf
rmmod mtk_vcodec_dec

🧯 If You Can't Patch

Restrict local user access to systems with vulnerable MediaTek hardware
Monitor for kernel crashes related to mtk_vcodec_dec module and investigate HEVC decoding failures

🔍 How to Verify

Check if Vulnerable:

Check if mtk_vcodec_dec module is loaded: lsmod | grep mtk_vcodec_dec. Check kernel version against patched versions.

Check Version:

uname -r

Verify Fix Applied:

Verify kernel contains fix commit: git log --oneline | grep -i '521ce0ea7418298d754494fe53263c23c4c78a8e' or check kernel version is newer than patched release.

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages mentioning mtk_vcodec_dec, vcodec_vpu_send_msg, or vdec_hevc_slice_deinit
System crashes during video playback or decoding

Network Indicators:

None - this is a local kernel vulnerability

SIEM Query:

source="kernel" AND ("mtk_vcodec_dec" OR "vcodec_vpu_send_msg" OR "vdec_hevc_slice_deinit")

📊 Metadata

CVE ID: CVE-2024-35921

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: May 19, 2024

Last Updated: December 30, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-35921, you might also want to check these: