A vulnerability was found in Kernel, where an avoid cyclic entity chains due to malformed USB descriptors Way back in 2017, fuzzing the 4.14-rc2 USB stack with syzkaller kicked up the UVC chain scanning code. References: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=68035c80e129c4cfec659aac4180354530b26527
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1919792]
This was fixed for Fedora with the 5.4.19 stable kernel updates.
Mitigation: To mitigate this issue, prevent the module uvcvideo from being loaded. Please see https://access.redhat.com/solutions/41278 for information on how to blacklist a kernel module to prevent it from loading automatically.
External References: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=68035c80e129c4cfec659aac4180354530b26527
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:1975 https://access.redhat.com/errata/RHSA-2022:1975
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:1988 https://access.redhat.com/errata/RHSA-2022:1988
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-0404