Linux Kernel ACPI Video Component Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the ACPI video component of the Linux kernel. This issue arises in the 'switch_brightness_work' delayed work, which accesses 'device->brightness' and 'device->backlight'. These resources can be freed by 'acpi_video_dev_unregister_backlight()' during device removal. If the delayed work executes after 'acpi_video_bus_unregister_backlight()' has freed these resources, it leads to a use-after-free condition when 'acpi_video_switch_brightness()' tries to dereference 'device->brightness' or 'device->backlight'.

Impact

Exploitation of this vulnerability causes a use-after-free condition, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

To reproduce this vulnerability, a device must be removed while the 'switch_brightness_work' delayed work is still queued. This can be done by unregistering the backlight for a video device without first canceling the delayed work that handles brightness adjustments. The vulnerability can be observed when the queued work tries to access the freed 'brightness' or 'backlight' resources, causing a use-after-free condition.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version where this issue has been addressed.