cve/2024/CVE-2024-49981.md

### [CVE-2024-49981](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49981)
![](https://img.shields.io/static/v1?label=Product&message=Linux&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=4.13%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=af2c3834c8ca7cc65d15592ac671933df8848115%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=blue)

### Description

In the Linux kernel, the following vulnerability has been resolved:media: venus: fix use after free bug in venus_remove due to race conditionin venus_probe, core->work is bound with venus_sys_error_handler, which isused to handle error. The code use core->sys_err_done to make sync work.The core->work is started in venus_event_notify.If we call venus_remove, there might be an unfished work. The possiblesequence is as follows:CPU0                  CPU1                     |venus_sys_error_handlervenus_remove         |hfi_destroy	 		 |venus_hfi_destroy	 |kfree(hdev);	     |                     |hfi_reinit					 |venus_hfi_queues_reinit                     |//use hdevFix it by canceling the work in venus_remove.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/w4zu/Debian_security
Update CVE list 2025-09-29 21:09 2025-09-29 21:09:30 +02:00			`### [CVE-2024-49981](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49981)`
			`![](https://img.shields.io/static/v1?label=Product&message=Linux&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=&color=brightgreen)`
			`![](https://img.shields.io/static/v1?label=Version&message=4.13%20&color=brightgreen)`
			`![](https://img.shields.io/static/v1?label=Version&message=af2c3834c8ca7cc65d15592ac671933df8848115%20&color=brightgreen)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=blue)`

			`### Description`

			In the Linux kernel, the following vulnerability has been resolved:media: venus: fix use after free bug in venus_remove due to race conditionin venus_probe, core->work is bound with venus_sys_error_handler, which isused to handle error. The code use core->sys_err_done to make sync work.The core->work is started in venus_event_notify.If we call venus_remove, there might be an unfished work. The possiblesequence is as follows:CPU0 CPU1 \|venus_sys_error_handlervenus_remove \|hfi_destroy \|venus_hfi_destroy \|kfree(hdev); \| \|hfi_reinit \|venus_hfi_queues_reinit \|//use hdevFix it by canceling the work in venus_remove.

			`### POC`

			`#### Reference`
			`No PoCs from references.`

			`#### Github`
			`- https://github.com/w4zu/Debian_security`