CVE-2024-46680: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btnxpuart: Fix random crash seen while removing driver This fixes the random kernel crash seen while removing the driver, when running the load/unload test over multiple iterations. 1) modprobe btnxpuart 2) hciconfig hci0 reset 3) hciconfig (check hci0 interface up with valid BD address) 4) modprobe -r btnxpuart Repeat steps 1 to 4 The ps_wakeup() call in btnxpuart_close() schedules the psdata->work(), which gets scheduled after module is removed, causing a kernel crash. This hidden issue got highlighted after enabling Power Save by default in 4183a7be7700 (Bluetooth: btnxpuart: Enable Power Save feature on startup) The new ps_cleanup() deasserts UART break immediately while closing serdev device, cancels any scheduled ps_work and destroys the ps_lock mutex. [ 85.884604] Unable to handle kernel paging request at virtual address ffffd4a61638f258 [ 85.884624] Mem abort info: [ 85.884625] ESR = 0x0000000086000007 [ 85.884628] EC = 0x21: IABT (current EL), IL = 32 bits [ 85.884633] SET = 0, FnV = 0 [ 85.884636] EA = 0, S1PTW = 0 [ 85.884638] FSC = 0x07: level 3 translation fault [ 85.884642] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000041dd0000 [ 85.884646] [ffffd4a61638f258] pgd=1000000095fff003, p4d=1000000095fff003, pud=100000004823d003, pmd=100000004823e003, pte=0000000000000000 [ 85.884662] Internal error: Oops: 0000000086000007 [#1] PREEMPT SMP [ 85.890932] Modules linked in: algif_hash algif_skcipher af_alg overlay fsl_jr_uio caam_jr caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine authenc libdes crct10dif_ce polyval_ce polyval_generic snd_soc_imx_spdif snd_soc_imx_card snd_soc_ak5558 snd_soc_ak4458 caam secvio error snd_soc_fsl_spdif snd_soc_fsl_micfil snd_soc_fsl_sai snd_soc_fsl_utils gpio_ir_recv rc_core fuse [last unloaded: btnxpuart(O)] [ 85.927297] CPU: 1 PID: 67 Comm: kworker/1:3 Tainted: G O 6.1.36+g937b1be4345a #1 [ 85.936176] Hardware name: FSL i.MX8MM EVK board (DT) [ 85.936182] Workqueue: events 0xffffd4a61638f380 [ 85.936198] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 85.952817] pc : 0xffffd4a61638f258 [ 85.952823] lr : 0xffffd4a61638f258 [ 85.952827] sp : ffff8000084fbd70 [ 85.952829] x29: ffff8000084fbd70 x28: 0000000000000000 x27: 0000000000000000 [ 85.963112] x26: ffffd4a69133f000 x25: ffff4bf1c8540990 x24: ffff4bf215b87305 [ 85.963119] x23: ffff4bf215b87300 x22: ffff4bf1c85409d0 x21: ffff4bf1c8540970 [ 85.977382] x20: 0000000000000000 x19: ffff4bf1c8540880 x18: 0000000000000000 [ 85.977391] x17: 0000000000000000 x16: 0000000000000133 x15: 0000ffffe2217090 [ 85.977399] x14: 0000000000000001 x13: 0000000000000133 x12: 0000000000000139 [ 85.977407] x11: 0000000000000001 x10: 0000000000000a60 x9 : ffff8000084fbc50 [ 85.977417] x8 : ffff4bf215b7d000 x7 : ffff4bf215b83b40 x6 : 00000000000003e8 [ 85.977424] x5 : 00000000410fd030 x4 : 0000000000000000 x3 : 0000000000000000 [ 85.977432] x2 : 0000000000000000 x1 : ffff4bf1c4265880 x0 : 0000000000000000 [ 85.977443] Call trace: [ 85.977446] 0xffffd4a61638f258 [ 85.977451] 0xffffd4a61638f3e8 [ 85.977455] process_one_work+0x1d4/0x330 [ 85.977464] worker_thread+0x6c/0x430 [ 85.977471] kthread+0x108/0x10c [ 85.977476] ret_from_fork+0x10/0x20 [ 85.977488] Code: bad PC value [ 85.977491] ---[ end trace 0000000000000000 ]--- Preset since v6.9.11
AI Analysis
Technical Summary
CVE-2024-46680 is a vulnerability identified in the Linux kernel specifically affecting the Bluetooth btnxpuart driver. The issue arises from improper handling of scheduled work during the removal of the btnxpuart kernel module. When the driver is loaded and unloaded repeatedly, the ps_wakeup() function in btnxpuart_close() schedules a work item (psdata->work()) that may execute after the module has been removed. This results in a use-after-free condition causing a kernel crash (kernel oops) due to accessing invalid memory. The problem became apparent after the Power Save feature was enabled by default in the btnxpuart driver, which introduced asynchronous work scheduling related to power management. The fix involves the introduction of a ps_cleanup() function that immediately deasserts the UART break signal upon closing the serdev device, cancels any scheduled work, and destroys the associated mutex to prevent work from executing after module removal. The vulnerability manifests as a random kernel crash during repeated load/unload cycles of the btnxpuart driver, which can be reproduced with the sequence: modprobe btnxpuart, hciconfig hci0 reset, verifying the hci0 interface, and modprobe -r btnxpuart. The kernel crash logs indicate a kernel paging fault due to a level 3 translation fault, confirming invalid memory access. This vulnerability affects Linux kernel versions including and after v6.9.11 and is present in builds identified by the given commit hashes. There are no known exploits in the wild at this time, and no CVSS score has been assigned yet. The vulnerability is primarily a stability and availability issue caused by a race condition in Bluetooth driver power management code.
Potential Impact
For European organizations, the impact of CVE-2024-46680 is primarily on system stability and availability rather than confidentiality or integrity. Systems running Linux kernels with the vulnerable btnxpuart Bluetooth driver may experience random kernel crashes during driver unload operations, which could lead to service interruptions or system reboots. This is particularly relevant for embedded systems, IoT devices, industrial control systems, or any Linux-based infrastructure that relies on Bluetooth connectivity and performs dynamic driver management. Organizations using Linux in critical environments such as manufacturing, healthcare, transportation, or telecommunications could face operational disruptions. Although this vulnerability does not directly enable privilege escalation or remote code execution, repeated kernel crashes can degrade system reliability and potentially cause denial of service conditions. Since the issue is triggered by module unload/load cycles, it is less likely to be exploited remotely but could be triggered by local users or automated system processes. The lack of known exploits reduces immediate risk, but unpatched systems remain vulnerable to stability issues.
Mitigation Recommendations
European organizations should apply the official Linux kernel patches that address CVE-2024-46680 as soon as they become available. Specifically, updating to Linux kernel versions including the fix (post v6.9.11) will prevent the race condition causing the kernel crash. Until patches are deployed, organizations should avoid repeatedly loading and unloading the btnxpuart driver, especially in automated test or power management scenarios. Systems that do not require Bluetooth btnxpuart functionality should consider disabling or blacklisting the driver to eliminate exposure. For embedded or IoT devices, firmware updates incorporating the patched kernel should be prioritized. Monitoring kernel logs for signs of the described paging faults or oops messages can help detect attempts to trigger the vulnerability. Additionally, organizations should implement robust system monitoring and automated reboot mechanisms to minimize downtime from unexpected kernel crashes. Coordination with Linux distribution vendors to receive timely security updates is critical. Finally, reviewing power management configurations related to Bluetooth devices to avoid unnecessary driver reloads can reduce risk.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2024-46680: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btnxpuart: Fix random crash seen while removing driver This fixes the random kernel crash seen while removing the driver, when running the load/unload test over multiple iterations. 1) modprobe btnxpuart 2) hciconfig hci0 reset 3) hciconfig (check hci0 interface up with valid BD address) 4) modprobe -r btnxpuart Repeat steps 1 to 4 The ps_wakeup() call in btnxpuart_close() schedules the psdata->work(), which gets scheduled after module is removed, causing a kernel crash. This hidden issue got highlighted after enabling Power Save by default in 4183a7be7700 (Bluetooth: btnxpuart: Enable Power Save feature on startup) The new ps_cleanup() deasserts UART break immediately while closing serdev device, cancels any scheduled ps_work and destroys the ps_lock mutex. [ 85.884604] Unable to handle kernel paging request at virtual address ffffd4a61638f258 [ 85.884624] Mem abort info: [ 85.884625] ESR = 0x0000000086000007 [ 85.884628] EC = 0x21: IABT (current EL), IL = 32 bits [ 85.884633] SET = 0, FnV = 0 [ 85.884636] EA = 0, S1PTW = 0 [ 85.884638] FSC = 0x07: level 3 translation fault [ 85.884642] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000041dd0000 [ 85.884646] [ffffd4a61638f258] pgd=1000000095fff003, p4d=1000000095fff003, pud=100000004823d003, pmd=100000004823e003, pte=0000000000000000 [ 85.884662] Internal error: Oops: 0000000086000007 [#1] PREEMPT SMP [ 85.890932] Modules linked in: algif_hash algif_skcipher af_alg overlay fsl_jr_uio caam_jr caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine authenc libdes crct10dif_ce polyval_ce polyval_generic snd_soc_imx_spdif snd_soc_imx_card snd_soc_ak5558 snd_soc_ak4458 caam secvio error snd_soc_fsl_spdif snd_soc_fsl_micfil snd_soc_fsl_sai snd_soc_fsl_utils gpio_ir_recv rc_core fuse [last unloaded: btnxpuart(O)] [ 85.927297] CPU: 1 PID: 67 Comm: kworker/1:3 Tainted: G O 6.1.36+g937b1be4345a #1 [ 85.936176] Hardware name: FSL i.MX8MM EVK board (DT) [ 85.936182] Workqueue: events 0xffffd4a61638f380 [ 85.936198] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 85.952817] pc : 0xffffd4a61638f258 [ 85.952823] lr : 0xffffd4a61638f258 [ 85.952827] sp : ffff8000084fbd70 [ 85.952829] x29: ffff8000084fbd70 x28: 0000000000000000 x27: 0000000000000000 [ 85.963112] x26: ffffd4a69133f000 x25: ffff4bf1c8540990 x24: ffff4bf215b87305 [ 85.963119] x23: ffff4bf215b87300 x22: ffff4bf1c85409d0 x21: ffff4bf1c8540970 [ 85.977382] x20: 0000000000000000 x19: ffff4bf1c8540880 x18: 0000000000000000 [ 85.977391] x17: 0000000000000000 x16: 0000000000000133 x15: 0000ffffe2217090 [ 85.977399] x14: 0000000000000001 x13: 0000000000000133 x12: 0000000000000139 [ 85.977407] x11: 0000000000000001 x10: 0000000000000a60 x9 : ffff8000084fbc50 [ 85.977417] x8 : ffff4bf215b7d000 x7 : ffff4bf215b83b40 x6 : 00000000000003e8 [ 85.977424] x5 : 00000000410fd030 x4 : 0000000000000000 x3 : 0000000000000000 [ 85.977432] x2 : 0000000000000000 x1 : ffff4bf1c4265880 x0 : 0000000000000000 [ 85.977443] Call trace: [ 85.977446] 0xffffd4a61638f258 [ 85.977451] 0xffffd4a61638f3e8 [ 85.977455] process_one_work+0x1d4/0x330 [ 85.977464] worker_thread+0x6c/0x430 [ 85.977471] kthread+0x108/0x10c [ 85.977476] ret_from_fork+0x10/0x20 [ 85.977488] Code: bad PC value [ 85.977491] ---[ end trace 0000000000000000 ]--- Preset since v6.9.11
AI-Powered Analysis
Technical Analysis
CVE-2024-46680 is a vulnerability identified in the Linux kernel specifically affecting the Bluetooth btnxpuart driver. The issue arises from improper handling of scheduled work during the removal of the btnxpuart kernel module. When the driver is loaded and unloaded repeatedly, the ps_wakeup() function in btnxpuart_close() schedules a work item (psdata->work()) that may execute after the module has been removed. This results in a use-after-free condition causing a kernel crash (kernel oops) due to accessing invalid memory. The problem became apparent after the Power Save feature was enabled by default in the btnxpuart driver, which introduced asynchronous work scheduling related to power management. The fix involves the introduction of a ps_cleanup() function that immediately deasserts the UART break signal upon closing the serdev device, cancels any scheduled work, and destroys the associated mutex to prevent work from executing after module removal. The vulnerability manifests as a random kernel crash during repeated load/unload cycles of the btnxpuart driver, which can be reproduced with the sequence: modprobe btnxpuart, hciconfig hci0 reset, verifying the hci0 interface, and modprobe -r btnxpuart. The kernel crash logs indicate a kernel paging fault due to a level 3 translation fault, confirming invalid memory access. This vulnerability affects Linux kernel versions including and after v6.9.11 and is present in builds identified by the given commit hashes. There are no known exploits in the wild at this time, and no CVSS score has been assigned yet. The vulnerability is primarily a stability and availability issue caused by a race condition in Bluetooth driver power management code.
Potential Impact
For European organizations, the impact of CVE-2024-46680 is primarily on system stability and availability rather than confidentiality or integrity. Systems running Linux kernels with the vulnerable btnxpuart Bluetooth driver may experience random kernel crashes during driver unload operations, which could lead to service interruptions or system reboots. This is particularly relevant for embedded systems, IoT devices, industrial control systems, or any Linux-based infrastructure that relies on Bluetooth connectivity and performs dynamic driver management. Organizations using Linux in critical environments such as manufacturing, healthcare, transportation, or telecommunications could face operational disruptions. Although this vulnerability does not directly enable privilege escalation or remote code execution, repeated kernel crashes can degrade system reliability and potentially cause denial of service conditions. Since the issue is triggered by module unload/load cycles, it is less likely to be exploited remotely but could be triggered by local users or automated system processes. The lack of known exploits reduces immediate risk, but unpatched systems remain vulnerable to stability issues.
Mitigation Recommendations
European organizations should apply the official Linux kernel patches that address CVE-2024-46680 as soon as they become available. Specifically, updating to Linux kernel versions including the fix (post v6.9.11) will prevent the race condition causing the kernel crash. Until patches are deployed, organizations should avoid repeatedly loading and unloading the btnxpuart driver, especially in automated test or power management scenarios. Systems that do not require Bluetooth btnxpuart functionality should consider disabling or blacklisting the driver to eliminate exposure. For embedded or IoT devices, firmware updates incorporating the patched kernel should be prioritized. Monitoring kernel logs for signs of the described paging faults or oops messages can help detect attempts to trigger the vulnerability. Additionally, organizations should implement robust system monitoring and automated reboot mechanisms to minimize downtime from unexpected kernel crashes. Coordination with Linux distribution vendors to receive timely security updates is critical. Finally, reviewing power management configurations related to Bluetooth devices to avoid unnecessary driver reloads can reduce risk.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-09-11T15:12:18.248Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9826c4522896dcbe0f8a
Added to database: 5/21/2025, 9:08:54 AM
Last enriched: 6/29/2025, 12:11:19 AM
Last updated: 7/28/2025, 8:14:06 AM
Views: 15
Related Threats
CVE-2025-54382: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in CherryHQ cherry-studio
CriticalCVE-2025-54074: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in CherryHQ cherry-studio
HighCVE-2025-32451: CWE-824: Access of Uninitialized Pointer in Foxit Foxit Reader
HighCVE-2025-55668: CWE-384 Session Fixation in Apache Software Foundation Apache Tomcat
HighCVE-2025-8908: SQL Injection in Shanghai Lingdang Information Technology Lingdang CRM
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.