CVE-2024-58059 in Linuxinfo

Summary

by MITRE • 03/06/2025

In the Linux kernel, the following vulnerability has been resolved:

media: uvcvideo: Fix deadlock during uvc_probe

If uvc_probe() fails, it can end up calling uvc_status_unregister() before uvc_status_init() is called.

Fix this by checking if dev->status is NULL or not in uvc_status_unregister().

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 02/16/2026

The vulnerability identified as CVE-2024-58059 represents a critical deadlock condition within the Linux kernel's USB video class driver implementation. This issue specifically affects the uvcvideo subsystem which handles USB video devices such as webcams and video capture hardware. The flaw manifests during the probe phase of USB video device initialization when the uvc_probe() function encounters a failure condition. The problematic behavior occurs because the driver attempts to clean up resources through uvc_status_unregister() without first ensuring that the corresponding initialization routine uvc_status_init() has been successfully executed.

The technical root cause of this vulnerability stems from improper state management within the USB video class driver's initialization sequence. When uvc_probe() fails, it attempts to invoke uvc_status_unregister() to perform cleanup operations, but this cleanup function is called before the device status structure has been properly initialized. This creates a race condition and potential deadlock scenario where the driver attempts to operate on uninitialized memory structures. The fix implemented addresses this by adding a null pointer check in uvc_status_unregister() to verify whether dev->status is properly initialized before attempting to perform cleanup operations. This approach aligns with defensive programming practices that prevent operations on uninitialized data structures.

The operational impact of this vulnerability extends beyond simple system stability concerns to potentially affect device functionality and system reliability in embedded and desktop environments where USB video devices are commonly used. Systems running affected kernel versions may experience complete system hangs or require manual intervention when USB video devices are connected or when the uvcvideo driver attempts to initialize failed devices. This vulnerability particularly affects systems with multiple USB video devices or those that frequently connect and disconnect USB video peripherals. The issue represents a classic case of improper resource management that can lead to denial of service conditions and system unresponsiveness.

Security implications of this vulnerability extend to potential exploitation scenarios where malicious actors could trigger the deadlock condition to cause system instability or denial of service attacks. The vulnerability falls under CWE-476 which describes "NULL Pointer Dereference" conditions, and may relate to ATT&CK technique T1499.004 for "Endpoint Denial of Service" when exploited in networked environments. The fix implemented represents a straightforward but critical defensive measure that prevents the driver from attempting cleanup operations on uninitialized structures. Organizations should prioritize patching affected systems as this vulnerability could be exploited to cause system instability or complete system hangs, particularly in environments where USB video devices are frequently used or where automated device detection is employed. The mitigation strategy involves updating to kernel versions containing the patched uvcvideo driver implementation that properly handles the initialization state checking before resource cleanup operations.

Responsible

Linux

Reservation

03/06/2025

Disclosure

03/06/2025

Moderation

accepted

CPE

ready

EPSS

0.00112

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!