CVE-2024-56571

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.11.0-rc7

Description The issue is related to the media: uvcvideo component of the Linux kernel, where entities are required to have a non-zero unique ID as per the UVC 1.1+ specification 3.7.2. The vulnerability arises when an entity with ID 0 or an ID that belongs to a unit already added to the list of entities is allocated. This can lead to warnings due to a chain of entities referring to themselves. The problem is resolved by denying the allocation of such entities.

Recommendations To resolve the issue, update the Linux kernel to a version that includes the fix for this vulnerability. Specifically, for Linux kernel versions prior to 6.11.0-rc7, update to version 6.11.0-rc7 or later. As a temporary workaround, consider disabling the media create pad link() function until a patch is available. Restrict access to the vulnerable uvcvideo module to minimize the risk of exploitation. Avoid using the bUnitID or bTerminalID fields in the descriptor until the issue is resolved.