CVE-2021-47338

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 5.10.45-rc1+

Description The issue is related to the execution of fb delete videomode() not being based on the result of the previous fbcon mode deleted(), leading to the direct deletion of a mode regardless of whether it is still in use. This may cause a use-after-free (UAF) vulnerability. The vulnerability is identified in the fb mode is equal() function in drivers/video/fbdev/core/modedb.c.

Recommendations To resolve the issue, update the Linux kernel to a version that includes the fix for this vulnerability. As a temporary workaround, consider disabling the fb delete videomode() function until a patch is available. Restrict access to the vulnerable module drivers/video/fbdev/core/modedb.c to minimize the risk of exploitation. Avoid using the fb set var() function in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.