CVE-2024-44937: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: platform/x86: intel-vbtn: Protect ACPI notify handler against recursion Since commit e2ffcda16290 ("ACPI: OSL: Allow Notify () handlers to run on all CPUs") ACPI notify handlers like the intel-vbtn notify_handler() may run on multiple CPU cores racing with themselves. This race gets hit on Dell Venue 7140 tablets when undocking from the keyboard, causing the handler to try and register priv->switches_dev twice, as can be seen from the dev_info() message getting logged twice: [ 83.861800] intel-vbtn INT33D6:00: Registering Intel Virtual Switches input-dev after receiving a switch event [ 83.861858] input: Intel Virtual Switches as /devices/pci0000:00/0000:00:1f.0/PNP0C09:00/INT33D6:00/input/input17 [ 83.861865] intel-vbtn INT33D6:00: Registering Intel Virtual Switches input-dev after receiving a switch event After which things go seriously wrong: [ 83.861872] sysfs: cannot create duplicate filename '/devices/pci0000:00/0000:00:1f.0/PNP0C09:00/INT33D6:00/input/input17' ... [ 83.861967] kobject: kobject_add_internal failed for input17 with -EEXIST, don't try to register things with the same name in the same directory. [ 83.877338] BUG: kernel NULL pointer dereference, address: 0000000000000018 ... Protect intel-vbtn notify_handler() from racing with itself with a mutex to fix this.
AI Analysis
Technical Summary
CVE-2024-44937 is a vulnerability in the Linux kernel affecting the ACPI (Advanced Configuration and Power Interface) notify handler for the intel-vbtn driver, which manages Intel Virtual Button events. The root cause is a race condition introduced by a kernel commit (e2ffcda16290) that allowed ACPI notify handlers to run concurrently on multiple CPU cores. This concurrency leads to the intel-vbtn notify_handler() racing against itself, particularly evident on Dell Venue 7140 tablets during keyboard undocking events. The race condition causes the handler to attempt registering the same input device (priv->switches_dev) multiple times, resulting in duplicate device registration attempts. This triggers kernel log messages indicating duplicate registration and ultimately leads to a kernel NULL pointer dereference and system instability or crash. The fix involves protecting the notify_handler() with a mutex to serialize access and prevent concurrent execution, thereby eliminating the race condition. This vulnerability is specific to the intel-vbtn ACPI driver and the Linux kernel versions containing the problematic commit. No known exploits are reported in the wild as of the publication date, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2024-44937 primarily concerns systems running vulnerable Linux kernels on hardware platforms using the intel-vbtn driver, notably certain Dell Venue tablets or similar devices. The vulnerability can cause kernel crashes (denial of service) due to NULL pointer dereferences triggered by race conditions in ACPI event handling. This can lead to system instability, unexpected reboots, or downtime, which may disrupt business operations, especially in environments relying on affected hardware for critical tasks. While this vulnerability does not directly lead to privilege escalation or data compromise, the denial of service can affect availability, potentially impacting service continuity. Organizations with Linux-based endpoint devices, embedded systems, or specialized hardware using affected drivers should be aware. The lack of known exploits reduces immediate risk, but the vulnerability could be targeted in the future, especially in environments where physical undocking events or similar triggers are common. Additionally, kernel crashes can complicate forensic investigations and may be leveraged as part of multi-stage attacks.
Mitigation Recommendations
1. Apply the official Linux kernel patch that introduces a mutex to protect the intel-vbtn notify_handler(), preventing concurrent execution and race conditions. Monitor Linux kernel repositories and vendor advisories for updated kernel versions containing this fix. 2. For organizations unable to immediately patch, consider temporarily disabling the intel-vbtn driver if it is not critical to operations, to avoid triggering the race condition. 3. Implement robust monitoring of kernel logs for duplicate registration messages or related ACPI errors that could indicate attempts to exploit this vulnerability. 4. Test kernel updates in controlled environments before deployment to ensure compatibility and stability, especially on affected hardware models like Dell Venue tablets. 5. Maintain an inventory of hardware models and Linux kernel versions in use to identify potentially vulnerable systems. 6. Educate IT and security teams about this vulnerability to recognize symptoms of kernel instability related to ACPI events. 7. Coordinate with hardware vendors for firmware updates or guidance if applicable, as ACPI interactions involve both hardware and software layers.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain
CVE-2024-44937: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: platform/x86: intel-vbtn: Protect ACPI notify handler against recursion Since commit e2ffcda16290 ("ACPI: OSL: Allow Notify () handlers to run on all CPUs") ACPI notify handlers like the intel-vbtn notify_handler() may run on multiple CPU cores racing with themselves. This race gets hit on Dell Venue 7140 tablets when undocking from the keyboard, causing the handler to try and register priv->switches_dev twice, as can be seen from the dev_info() message getting logged twice: [ 83.861800] intel-vbtn INT33D6:00: Registering Intel Virtual Switches input-dev after receiving a switch event [ 83.861858] input: Intel Virtual Switches as /devices/pci0000:00/0000:00:1f.0/PNP0C09:00/INT33D6:00/input/input17 [ 83.861865] intel-vbtn INT33D6:00: Registering Intel Virtual Switches input-dev after receiving a switch event After which things go seriously wrong: [ 83.861872] sysfs: cannot create duplicate filename '/devices/pci0000:00/0000:00:1f.0/PNP0C09:00/INT33D6:00/input/input17' ... [ 83.861967] kobject: kobject_add_internal failed for input17 with -EEXIST, don't try to register things with the same name in the same directory. [ 83.877338] BUG: kernel NULL pointer dereference, address: 0000000000000018 ... Protect intel-vbtn notify_handler() from racing with itself with a mutex to fix this.
AI-Powered Analysis
Technical Analysis
CVE-2024-44937 is a vulnerability in the Linux kernel affecting the ACPI (Advanced Configuration and Power Interface) notify handler for the intel-vbtn driver, which manages Intel Virtual Button events. The root cause is a race condition introduced by a kernel commit (e2ffcda16290) that allowed ACPI notify handlers to run concurrently on multiple CPU cores. This concurrency leads to the intel-vbtn notify_handler() racing against itself, particularly evident on Dell Venue 7140 tablets during keyboard undocking events. The race condition causes the handler to attempt registering the same input device (priv->switches_dev) multiple times, resulting in duplicate device registration attempts. This triggers kernel log messages indicating duplicate registration and ultimately leads to a kernel NULL pointer dereference and system instability or crash. The fix involves protecting the notify_handler() with a mutex to serialize access and prevent concurrent execution, thereby eliminating the race condition. This vulnerability is specific to the intel-vbtn ACPI driver and the Linux kernel versions containing the problematic commit. No known exploits are reported in the wild as of the publication date, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2024-44937 primarily concerns systems running vulnerable Linux kernels on hardware platforms using the intel-vbtn driver, notably certain Dell Venue tablets or similar devices. The vulnerability can cause kernel crashes (denial of service) due to NULL pointer dereferences triggered by race conditions in ACPI event handling. This can lead to system instability, unexpected reboots, or downtime, which may disrupt business operations, especially in environments relying on affected hardware for critical tasks. While this vulnerability does not directly lead to privilege escalation or data compromise, the denial of service can affect availability, potentially impacting service continuity. Organizations with Linux-based endpoint devices, embedded systems, or specialized hardware using affected drivers should be aware. The lack of known exploits reduces immediate risk, but the vulnerability could be targeted in the future, especially in environments where physical undocking events or similar triggers are common. Additionally, kernel crashes can complicate forensic investigations and may be leveraged as part of multi-stage attacks.
Mitigation Recommendations
1. Apply the official Linux kernel patch that introduces a mutex to protect the intel-vbtn notify_handler(), preventing concurrent execution and race conditions. Monitor Linux kernel repositories and vendor advisories for updated kernel versions containing this fix. 2. For organizations unable to immediately patch, consider temporarily disabling the intel-vbtn driver if it is not critical to operations, to avoid triggering the race condition. 3. Implement robust monitoring of kernel logs for duplicate registration messages or related ACPI errors that could indicate attempts to exploit this vulnerability. 4. Test kernel updates in controlled environments before deployment to ensure compatibility and stability, especially on affected hardware models like Dell Venue tablets. 5. Maintain an inventory of hardware models and Linux kernel versions in use to identify potentially vulnerable systems. 6. Educate IT and security teams about this vulnerability to recognize symptoms of kernel instability related to ACPI events. 7. Coordinate with hardware vendors for firmware updates or guidance if applicable, as ACPI interactions involve both hardware and software layers.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-08-21T05:34:56.664Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9826c4522896dcbe0ca8
Added to database: 5/21/2025, 9:08:54 AM
Last enriched: 6/28/2025, 10:55:22 PM
Last updated: 8/4/2025, 10:40:54 PM
Views: 14
Related Threats
CVE-2025-8081: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in elemntor Elementor Website Builder – More Than Just a Page Builder
MediumCVE-2025-6253: CWE-862 Missing Authorization in uicore UiCore Elements – Free Elementor widgets and templates
HighCVE-2025-3892: CWE-250: Execution with Unnecessary Privileges in Axis Communications AB AXIS OS
MediumCVE-2025-30027: CWE-1287: Improper Validation of Specified Type of Input in Axis Communications AB AXIS OS
MediumCVE-2025-7622: CWE-918: Server-Side Request Forgery (SSRF) in Axis Communications AB AXIS Camera Station Pro
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.