CVE-2024-50266 is a vulnerability identified in the Linux kernel specifically related to the Qualcomm Venus video codec driver (venus_core) used in certain hardware platforms such as the Qualcomm SM8350 and SC8280XP chipsets. The issue arises from a recent change in the venus driver that affects the clock control subsystem, particularly the Generic Dynamic Switch Controller (GDSC) definitions and their runtime control mode. This results in a stuck clock state, where the video clock (video_cc_mvs0_clk) remains in the 'off' state, causing video streaming operations to fail or hang. The problem has been observed on devices like the Lenovo ThinkPad X13s when streaming video in Firefox, with kernel warnings indicating failures in clock branch enablement functions (clk_branch_wait, clk_branch2_enable, clk_core_enable, clk_enable) and subsequent failures in video codec streaming functions (vdec_start_streaming, vb2_start_streaming, vb2_streamon, v4l2_m2m_ioctl_streamon). The root cause is that the venus driver now requires the hardware control mode of the GDSCs to be changeable at runtime, but the existing definitions do not support this, leading to the clock control deadlock. The fix involves updating the GDSC definitions for affected Qualcomm platforms to use HW_CTRL_TRIGGER mode, enabling proper runtime control and preventing the clock from getting stuck. This vulnerability does not currently have known exploits in the wild and does not have an assigned CVSS score. It primarily affects Linux kernel versions containing the specified commit hashes and platforms using the Qualcomm SM8350/SC8280XP SoCs with the venus video codec driver.

For European organizations, this vulnerability can impact any systems running affected Linux kernel versions on hardware platforms using Qualcomm SM8350 or SC8280XP chipsets, such as certain Lenovo ThinkPad X13s laptops. The primary impact is on video streaming and processing capabilities, which could disrupt multimedia applications, video conferencing, or any video-dependent workflows. This can degrade user experience and productivity, especially in remote work or digital collaboration scenarios prevalent in Europe. While this vulnerability does not directly lead to privilege escalation or data leakage, the denial of service caused by stuck clocks can result in system instability or crashes during video operations. Organizations relying on Linux-based embedded systems or edge devices with these chipsets may also face operational disruptions. Since the issue is related to hardware clock control, it may require kernel updates or firmware patches, which could be challenging to deploy rapidly in large enterprise environments. The lack of known exploits reduces immediate risk, but unpatched systems remain vulnerable to service interruptions.

1. Apply the official Linux kernel patches that update the GDSC definitions for Qualcomm SM8350 and SC8280XP platforms to use HW_CTRL_TRIGGER mode, as indicated in the vulnerability disclosure. 2. Ensure that Linux kernel versions on affected devices are updated to the fixed versions containing the patch commits (refer to the commit hashes or kernel release notes). 3. For organizations using Lenovo ThinkPad X13s or similar hardware, coordinate with hardware vendors for firmware or BIOS updates that may complement the kernel fix. 4. Test video streaming and codec functionality post-patch in controlled environments before wide deployment to avoid unexpected disruptions. 5. Monitor kernel logs for clock-related warnings or errors (e.g., clk_branch_wait failures) as indicators of unresolved issues. 6. If immediate patching is not feasible, consider limiting video streaming workloads on affected devices or using alternative hardware until fixes are applied. 7. Maintain an inventory of affected hardware and kernel versions to prioritize patch management efforts. 8. Engage with Linux distribution maintainers for backported fixes if using long-term support kernels.