CVE-2024-46721: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: apparmor: fix possible NULL pointer dereference profile->parent->dents[AAFS_PROF_DIR] could be NULL only if its parent is made from __create_missing_ancestors(..) and 'ent->old' is NULL in aa_replace_profiles(..). In that case, it must return an error code and the code, -ENOENT represents its state that the path of its parent is not existed yet. BUG: kernel NULL pointer dereference, address: 0000000000000030 PGD 0 P4D 0 PREEMPT SMP PTI CPU: 4 PID: 3362 Comm: apparmor_parser Not tainted 6.8.0-24-generic #24 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 RIP: 0010:aafs_create.constprop.0+0x7f/0x130 Code: 4c 63 e0 48 83 c4 18 4c 89 e0 5b 41 5c 41 5d 41 5e 41 5f 5d 31 d2 31 c9 31 f6 31 ff 45 31 c0 45 31 c9 45 31 d2 c3 cc cc cc cc <4d> 8b 55 30 4d 8d ba a0 00 00 00 4c 89 55 c0 4c 89 ff e8 7a 6a ae RSP: 0018:ffffc9000b2c7c98 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 00000000000041ed RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc9000b2c7cd8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff82baac10 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 00007be9f22cf740(0000) GS:ffff88817bc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000030 CR3: 0000000134b08000 CR4: 00000000000006f0 Call Trace: <TASK> ? show_regs+0x6d/0x80 ? __die+0x24/0x80 ? page_fault_oops+0x99/0x1b0 ? kernelmode_fixup_or_oops+0xb2/0x140 ? __bad_area_nosemaphore+0x1a5/0x2c0 ? find_vma+0x34/0x60 ? bad_area_nosemaphore+0x16/0x30 ? do_user_addr_fault+0x2a2/0x6b0 ? exc_page_fault+0x83/0x1b0 ? asm_exc_page_fault+0x27/0x30 ? aafs_create.constprop.0+0x7f/0x130 ? aafs_create.constprop.0+0x51/0x130 __aafs_profile_mkdir+0x3d6/0x480 aa_replace_profiles+0x83f/0x1270 policy_update+0xe3/0x180 profile_load+0xbc/0x150 ? rw_verify_area+0x47/0x140 vfs_write+0x100/0x480 ? __x64_sys_openat+0x55/0xa0 ? syscall_exit_to_user_mode+0x86/0x260 ksys_write+0x73/0x100 __x64_sys_write+0x19/0x30 x64_sys_call+0x7e/0x25c0 do_syscall_64+0x7f/0x180 entry_SYSCALL_64_after_hwframe+0x78/0x80 RIP: 0033:0x7be9f211c574 Code: c7 00 16 00 00 00 b8 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 80 3d d5 ea 0e 00 00 74 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 55 48 89 e5 48 83 ec 20 48 89 RSP: 002b:00007ffd26f2b8c8 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00005d504415e200 RCX: 00007be9f211c574 RDX: 0000000000001fc1 RSI: 00005d504418bc80 RDI: 0000000000000004 RBP: 0000000000001fc1 R08: 0000000000001fc1 R09: 0000000080000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00005d504418bc80 R13: 0000000000000004 R14: 00007ffd26f2b9b0 R15: 00007ffd26f2ba30 </TASK> Modules linked in: snd_seq_dummy snd_hrtimer qrtr snd_hda_codec_generic snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device i2c_i801 snd_timer i2c_smbus qxl snd soundcore drm_ttm_helper lpc_ich ttm joydev input_leds serio_raw mac_hid binfmt_misc msr parport_pc ppdev lp parport efi_pstore nfnetlink dmi_sysfs qemu_fw_cfg ip_tables x_tables autofs4 hid_generic usbhid hid ahci libahci psmouse virtio_rng xhci_pci xhci_pci_renesas CR2: 0000000000000030 ---[ end trace 0000000000000000 ]--- RIP: 0010:aafs_create.constprop.0+0x7f/0x130 Code: 4c 63 e0 48 83 c4 18 4c 89 e0 5b 41 5c 41 5d 41 5e 41 5f 5d 31 d2 31 c9 31 f6 31 ff 45 31 c0 45 31 c9 45 31 d2 c3 cc cc cc cc <4d> 8b 55 30 4d 8d ba a0 00 00 00 4c 89 55 c0 4c 89 ff e8 7a 6a ae RSP: 0018:ffffc9000b2c7c98 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 00000000000041ed RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc9000b2c7cd8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000 ---truncated---
AI Analysis
Technical Summary
CVE-2024-46721 is a vulnerability identified in the Linux kernel's AppArmor security module, specifically related to a possible NULL pointer dereference. The flaw arises when the kernel attempts to access the 'dents' array of a profile's parent directory entry within AppArmor's filesystem abstraction (AAFS). This NULL pointer dereference occurs if the parent profile is created via the __create_missing_ancestors function and the 'ent->old' pointer is NULL during the aa_replace_profiles operation. In such cases, the code should return an error code (-ENOENT) indicating the parent's path does not exist yet, but failure to do so leads to a kernel NULL pointer dereference and consequent kernel crash (BUG). The provided kernel trace shows the fault occurs in the aafs_create function, triggered during profile replacement and policy updates, causing a kernel oops and system instability. This vulnerability can be triggered by invoking AppArmor profile loading or replacement operations, potentially leading to denial of service (DoS) conditions due to kernel crashes. The vulnerability affects Linux kernel versions including the 6.8.0-24-generic kernel and likely other versions using the affected AppArmor code paths. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. However, the vulnerability is significant as it impacts the kernel's security module, which is critical for enforcing mandatory access controls. The issue requires local access to trigger, as it involves AppArmor profile management, typically performed by privileged users or processes. The root cause is improper handling of NULL pointers during profile ancestor creation and replacement, leading to a kernel panic and system crash.
Potential Impact
For European organizations, this vulnerability poses a risk primarily of denial of service on Linux systems utilizing AppArmor for security policy enforcement. Many European enterprises, government agencies, and cloud providers rely on Linux servers for critical infrastructure, and AppArmor is a common security module, especially in distributions like Ubuntu, which is widely used across Europe. A successful trigger of this vulnerability could cause kernel crashes, leading to system downtime, disruption of services, and potential loss of availability. While this vulnerability does not directly lead to privilege escalation or data breach, the resulting instability could be exploited as part of a broader attack to disrupt operations or force system reboots. Organizations running containerized workloads or cloud environments with AppArmor enabled might face increased risk if automated profile updates or deployments trigger this flaw. The lack of known exploits reduces immediate risk, but the vulnerability's presence in the kernel means that attackers with local access or the ability to influence AppArmor profile loading could cause service interruptions. This is particularly critical for sectors requiring high availability such as finance, healthcare, and public administration in Europe.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Apply the latest Linux kernel updates and patches as soon as they become available from their distribution vendors, ensuring the fix for CVE-2024-46721 is included. 2) Audit and restrict access to AppArmor profile management tools and processes to trusted administrators only, minimizing the risk of unauthorized profile replacement attempts. 3) Monitor system logs for AppArmor-related errors or kernel oops messages that could indicate attempts to trigger this vulnerability. 4) Implement robust change management and testing procedures for AppArmor profile updates to detect and prevent malformed or incomplete profiles that could cause the NULL pointer dereference. 5) Consider temporarily disabling automatic AppArmor profile reloads or replacements in environments where stability is critical until patches are applied. 6) Employ kernel crash dump analysis and monitoring to quickly identify and respond to any kernel panics related to AppArmor. These steps go beyond generic advice by focusing on controlling profile management and monitoring kernel behavior specific to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2024-46721: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: apparmor: fix possible NULL pointer dereference profile->parent->dents[AAFS_PROF_DIR] could be NULL only if its parent is made from __create_missing_ancestors(..) and 'ent->old' is NULL in aa_replace_profiles(..). In that case, it must return an error code and the code, -ENOENT represents its state that the path of its parent is not existed yet. BUG: kernel NULL pointer dereference, address: 0000000000000030 PGD 0 P4D 0 PREEMPT SMP PTI CPU: 4 PID: 3362 Comm: apparmor_parser Not tainted 6.8.0-24-generic #24 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 RIP: 0010:aafs_create.constprop.0+0x7f/0x130 Code: 4c 63 e0 48 83 c4 18 4c 89 e0 5b 41 5c 41 5d 41 5e 41 5f 5d 31 d2 31 c9 31 f6 31 ff 45 31 c0 45 31 c9 45 31 d2 c3 cc cc cc cc <4d> 8b 55 30 4d 8d ba a0 00 00 00 4c 89 55 c0 4c 89 ff e8 7a 6a ae RSP: 0018:ffffc9000b2c7c98 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 00000000000041ed RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc9000b2c7cd8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff82baac10 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 00007be9f22cf740(0000) GS:ffff88817bc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000030 CR3: 0000000134b08000 CR4: 00000000000006f0 Call Trace: <TASK> ? show_regs+0x6d/0x80 ? __die+0x24/0x80 ? page_fault_oops+0x99/0x1b0 ? kernelmode_fixup_or_oops+0xb2/0x140 ? __bad_area_nosemaphore+0x1a5/0x2c0 ? find_vma+0x34/0x60 ? bad_area_nosemaphore+0x16/0x30 ? do_user_addr_fault+0x2a2/0x6b0 ? exc_page_fault+0x83/0x1b0 ? asm_exc_page_fault+0x27/0x30 ? aafs_create.constprop.0+0x7f/0x130 ? aafs_create.constprop.0+0x51/0x130 __aafs_profile_mkdir+0x3d6/0x480 aa_replace_profiles+0x83f/0x1270 policy_update+0xe3/0x180 profile_load+0xbc/0x150 ? rw_verify_area+0x47/0x140 vfs_write+0x100/0x480 ? __x64_sys_openat+0x55/0xa0 ? syscall_exit_to_user_mode+0x86/0x260 ksys_write+0x73/0x100 __x64_sys_write+0x19/0x30 x64_sys_call+0x7e/0x25c0 do_syscall_64+0x7f/0x180 entry_SYSCALL_64_after_hwframe+0x78/0x80 RIP: 0033:0x7be9f211c574 Code: c7 00 16 00 00 00 b8 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 80 3d d5 ea 0e 00 00 74 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 55 48 89 e5 48 83 ec 20 48 89 RSP: 002b:00007ffd26f2b8c8 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00005d504415e200 RCX: 00007be9f211c574 RDX: 0000000000001fc1 RSI: 00005d504418bc80 RDI: 0000000000000004 RBP: 0000000000001fc1 R08: 0000000000001fc1 R09: 0000000080000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00005d504418bc80 R13: 0000000000000004 R14: 00007ffd26f2b9b0 R15: 00007ffd26f2ba30 </TASK> Modules linked in: snd_seq_dummy snd_hrtimer qrtr snd_hda_codec_generic snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device i2c_i801 snd_timer i2c_smbus qxl snd soundcore drm_ttm_helper lpc_ich ttm joydev input_leds serio_raw mac_hid binfmt_misc msr parport_pc ppdev lp parport efi_pstore nfnetlink dmi_sysfs qemu_fw_cfg ip_tables x_tables autofs4 hid_generic usbhid hid ahci libahci psmouse virtio_rng xhci_pci xhci_pci_renesas CR2: 0000000000000030 ---[ end trace 0000000000000000 ]--- RIP: 0010:aafs_create.constprop.0+0x7f/0x130 Code: 4c 63 e0 48 83 c4 18 4c 89 e0 5b 41 5c 41 5d 41 5e 41 5f 5d 31 d2 31 c9 31 f6 31 ff 45 31 c0 45 31 c9 45 31 d2 c3 cc cc cc cc <4d> 8b 55 30 4d 8d ba a0 00 00 00 4c 89 55 c0 4c 89 ff e8 7a 6a ae RSP: 0018:ffffc9000b2c7c98 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 00000000000041ed RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc9000b2c7cd8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000 ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-46721 is a vulnerability identified in the Linux kernel's AppArmor security module, specifically related to a possible NULL pointer dereference. The flaw arises when the kernel attempts to access the 'dents' array of a profile's parent directory entry within AppArmor's filesystem abstraction (AAFS). This NULL pointer dereference occurs if the parent profile is created via the __create_missing_ancestors function and the 'ent->old' pointer is NULL during the aa_replace_profiles operation. In such cases, the code should return an error code (-ENOENT) indicating the parent's path does not exist yet, but failure to do so leads to a kernel NULL pointer dereference and consequent kernel crash (BUG). The provided kernel trace shows the fault occurs in the aafs_create function, triggered during profile replacement and policy updates, causing a kernel oops and system instability. This vulnerability can be triggered by invoking AppArmor profile loading or replacement operations, potentially leading to denial of service (DoS) conditions due to kernel crashes. The vulnerability affects Linux kernel versions including the 6.8.0-24-generic kernel and likely other versions using the affected AppArmor code paths. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. However, the vulnerability is significant as it impacts the kernel's security module, which is critical for enforcing mandatory access controls. The issue requires local access to trigger, as it involves AppArmor profile management, typically performed by privileged users or processes. The root cause is improper handling of NULL pointers during profile ancestor creation and replacement, leading to a kernel panic and system crash.
Potential Impact
For European organizations, this vulnerability poses a risk primarily of denial of service on Linux systems utilizing AppArmor for security policy enforcement. Many European enterprises, government agencies, and cloud providers rely on Linux servers for critical infrastructure, and AppArmor is a common security module, especially in distributions like Ubuntu, which is widely used across Europe. A successful trigger of this vulnerability could cause kernel crashes, leading to system downtime, disruption of services, and potential loss of availability. While this vulnerability does not directly lead to privilege escalation or data breach, the resulting instability could be exploited as part of a broader attack to disrupt operations or force system reboots. Organizations running containerized workloads or cloud environments with AppArmor enabled might face increased risk if automated profile updates or deployments trigger this flaw. The lack of known exploits reduces immediate risk, but the vulnerability's presence in the kernel means that attackers with local access or the ability to influence AppArmor profile loading could cause service interruptions. This is particularly critical for sectors requiring high availability such as finance, healthcare, and public administration in Europe.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Apply the latest Linux kernel updates and patches as soon as they become available from their distribution vendors, ensuring the fix for CVE-2024-46721 is included. 2) Audit and restrict access to AppArmor profile management tools and processes to trusted administrators only, minimizing the risk of unauthorized profile replacement attempts. 3) Monitor system logs for AppArmor-related errors or kernel oops messages that could indicate attempts to trigger this vulnerability. 4) Implement robust change management and testing procedures for AppArmor profile updates to detect and prevent malformed or incomplete profiles that could cause the NULL pointer dereference. 5) Consider temporarily disabling automatic AppArmor profile reloads or replacements in environments where stability is critical until patches are applied. 6) Employ kernel crash dump analysis and monitoring to quickly identify and respond to any kernel panics related to AppArmor. These steps go beyond generic advice by focusing on controlling profile management and monitoring kernel behavior specific to this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-09-11T15:12:18.255Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9826c4522896dcbe10d5
Added to database: 5/21/2025, 9:08:54 AM
Last enriched: 6/29/2025, 12:55:00 AM
Last updated: 7/25/2025, 1:45:00 PM
Views: 4
Related Threats
CVE-2025-5197: CWE-1333 Inefficient Regular Expression Complexity in huggingface huggingface/transformers
MediumCVE-2025-46391: CWE-284: Improper Access Control in Emby MediaBrowser
MediumCVE-2025-46390: CWE-204: Observable Response Discrepancy in Emby MediaBrowser
HighCVE-2025-46389: CWE-620: Unverified Password Change in Emby MediaBrowser
MediumCVE-2025-46388: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in Emby MediaBrowser
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.