CVE-2024-46746: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: HID: amd_sfh: free driver_data after destroying hid device HID driver callbacks aren't called anymore once hid_destroy_device() has been called. Hence, hid driver_data should be freed only after the hid_destroy_device() function returned as driver_data is used in several callbacks. I observed a crash with kernel 6.10.0 on my T14s Gen 3, after enabling KASAN to debug memory allocation, I got this output: [ 13.050438] ================================================================== [ 13.054060] BUG: KASAN: slab-use-after-free in amd_sfh_get_report+0x3ec/0x530 [amd_sfh] [ 13.054809] psmouse serio1: trackpoint: Synaptics TrackPoint firmware: 0x02, buttons: 3/3 [ 13.056432] Read of size 8 at addr ffff88813152f408 by task (udev-worker)/479 [ 13.060970] CPU: 5 PID: 479 Comm: (udev-worker) Not tainted 6.10.0-arch1-2 #1 893bb55d7f0073f25c46adbb49eb3785fefd74b0 [ 13.063978] Hardware name: LENOVO 21CQCTO1WW/21CQCTO1WW, BIOS R22ET70W (1.40 ) 03/21/2024 [ 13.067860] Call Trace: [ 13.069383] input: TPPS/2 Synaptics TrackPoint as /devices/platform/i8042/serio1/input/input8 [ 13.071486] <TASK> [ 13.071492] dump_stack_lvl+0x5d/0x80 [ 13.074870] snd_hda_intel 0000:33:00.6: enabling device (0000 -> 0002) [ 13.078296] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.082199] print_report+0x174/0x505 [ 13.085776] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 13.089367] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.093255] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.097464] kasan_report+0xc8/0x150 [ 13.101461] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.105802] amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.110303] amdtp_hid_request+0xb8/0x110 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.114879] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.119450] sensor_hub_get_feature+0x1d3/0x540 [hid_sensor_hub 3f13be3016ff415bea03008d45d99da837ee3082] [ 13.124097] hid_sensor_parse_common_attributes+0x4d0/0xad0 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5] [ 13.127404] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.131925] ? __pfx_hid_sensor_parse_common_attributes+0x10/0x10 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5] [ 13.136455] ? _raw_spin_lock_irqsave+0x96/0xf0 [ 13.140197] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 13.143602] ? devm_iio_device_alloc+0x34/0x50 [industrialio 3d261d5e5765625d2b052be40e526d62b1d2123b] [ 13.147234] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.150446] ? __devm_add_action+0x167/0x1d0 [ 13.155061] hid_gyro_3d_probe+0x120/0x7f0 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172] [ 13.158581] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.161814] platform_probe+0xa2/0x150 [ 13.165029] really_probe+0x1e3/0x8a0 [ 13.168243] __driver_probe_device+0x18c/0x370 [ 13.171500] driver_probe_device+0x4a/0x120 [ 13.175000] __driver_attach+0x190/0x4a0 [ 13.178521] ? __pfx___driver_attach+0x10/0x10 [ 13.181771] bus_for_each_dev+0x106/0x180 [ 13.185033] ? __pfx__raw_spin_lock+0x10/0x10 [ 13.188229] ? __pfx_bus_for_each_dev+0x10/0x10 [ 13.191446] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.194382] bus_add_driver+0x29e/0x4d0 [ 13.197328] driver_register+0x1a5/0x360 [ 13.200283] ? __pfx_hid_gyro_3d_platform_driver_init+0x10/0x10 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172] [ 13.203362] do_one_initcall+0xa7/0x380 [ 13.206432] ? __pfx_do_one_initcall+0x10/0x10 [ 13.210175] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.213211] ? kasan_unpoison+0x44/0x70 [ 13.216688] do_init_module+0x238/0x750 [ 13.2196 ---truncated---
AI Analysis
Technical Summary
CVE-2024-46746 is a use-after-free vulnerability identified in the Linux kernel's Human Interface Device (HID) subsystem, specifically within the amd_sfh driver. The vulnerability arises because the driver frees its driver_data structure prematurely, before the hid_destroy_device() function returns. Since the HID driver callbacks continue to be invoked until hid_destroy_device() completes, the driver_data is accessed after it has been freed, leading to a use-after-free condition. This was observed on kernel version 6.10.0 with Kernel Address Sanitizer (KASAN) enabled, which detected slab-use-after-free errors during the amd_sfh_get_report() function execution. The vulnerability can cause kernel crashes and potentially lead to arbitrary code execution or privilege escalation if exploited. The issue affects Linux kernel versions that include the vulnerable amd_sfh HID driver implementation prior to the patch that corrects the timing of freeing driver_data. The vulnerability is rooted in improper lifecycle management of driver data structures in the HID subsystem, which is critical for input device handling on Linux systems. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The vulnerability was publicly disclosed on September 18, 2024, and is relevant to systems running affected Linux kernel versions, particularly those using hardware with the amd_sfh HID driver, such as certain Lenovo ThinkPad models (e.g., T14s Gen 3) and potentially other AMD-based devices with similar HID implementations.
Potential Impact
For European organizations, the impact of CVE-2024-46746 can be significant, especially for enterprises and government agencies relying on Linux-based systems for critical infrastructure, development environments, or endpoint devices. The vulnerability can cause system instability through kernel crashes, leading to denial of service. More critically, exploitation could allow attackers to execute arbitrary code with kernel privileges, compromising system confidentiality, integrity, and availability. This poses risks to sensitive data, operational continuity, and regulatory compliance under frameworks like GDPR. Organizations using Linux distributions with kernels incorporating the vulnerable amd_sfh driver, particularly on AMD hardware, may face elevated risks. The vulnerability could be leveraged in targeted attacks or by malware to escalate privileges and persist on systems. Given the widespread use of Linux in European data centers, cloud environments, and embedded systems, the threat surface is broad. However, exploitation requires local access or user-level code execution, limiting remote attack vectors but not eliminating insider threats or malware-based exploitation.
Mitigation Recommendations
1. Immediate patching: Apply the latest Linux kernel updates from trusted distributors that include the fix for CVE-2024-46746. Monitor vendor advisories for patched kernel versions. 2. Kernel version management: Avoid deploying or continue using kernel versions prior to the fix, especially on AMD hardware with the amd_sfh HID driver. 3. Access control: Restrict local user privileges to minimize the risk of unprivileged users exploiting the vulnerability. 4. Enable kernel hardening features: Use security modules like SELinux or AppArmor to limit the impact of potential kernel exploits. 5. Monitor system logs: Implement monitoring for kernel crash logs or unusual HID driver activity that could indicate exploitation attempts. 6. Use KASAN or similar debugging tools in testing environments to detect memory corruption issues proactively. 7. For critical environments, consider isolating vulnerable systems or using virtualization/containerization to limit exposure until patches are applied. 8. Educate system administrators about the vulnerability and the importance of timely kernel updates, especially on AMD-based Linux systems.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Belgium, Finland
CVE-2024-46746: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: HID: amd_sfh: free driver_data after destroying hid device HID driver callbacks aren't called anymore once hid_destroy_device() has been called. Hence, hid driver_data should be freed only after the hid_destroy_device() function returned as driver_data is used in several callbacks. I observed a crash with kernel 6.10.0 on my T14s Gen 3, after enabling KASAN to debug memory allocation, I got this output: [ 13.050438] ================================================================== [ 13.054060] BUG: KASAN: slab-use-after-free in amd_sfh_get_report+0x3ec/0x530 [amd_sfh] [ 13.054809] psmouse serio1: trackpoint: Synaptics TrackPoint firmware: 0x02, buttons: 3/3 [ 13.056432] Read of size 8 at addr ffff88813152f408 by task (udev-worker)/479 [ 13.060970] CPU: 5 PID: 479 Comm: (udev-worker) Not tainted 6.10.0-arch1-2 #1 893bb55d7f0073f25c46adbb49eb3785fefd74b0 [ 13.063978] Hardware name: LENOVO 21CQCTO1WW/21CQCTO1WW, BIOS R22ET70W (1.40 ) 03/21/2024 [ 13.067860] Call Trace: [ 13.069383] input: TPPS/2 Synaptics TrackPoint as /devices/platform/i8042/serio1/input/input8 [ 13.071486] <TASK> [ 13.071492] dump_stack_lvl+0x5d/0x80 [ 13.074870] snd_hda_intel 0000:33:00.6: enabling device (0000 -> 0002) [ 13.078296] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.082199] print_report+0x174/0x505 [ 13.085776] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 13.089367] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.093255] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.097464] kasan_report+0xc8/0x150 [ 13.101461] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.105802] amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.110303] amdtp_hid_request+0xb8/0x110 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.114879] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.119450] sensor_hub_get_feature+0x1d3/0x540 [hid_sensor_hub 3f13be3016ff415bea03008d45d99da837ee3082] [ 13.124097] hid_sensor_parse_common_attributes+0x4d0/0xad0 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5] [ 13.127404] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.131925] ? __pfx_hid_sensor_parse_common_attributes+0x10/0x10 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5] [ 13.136455] ? _raw_spin_lock_irqsave+0x96/0xf0 [ 13.140197] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 13.143602] ? devm_iio_device_alloc+0x34/0x50 [industrialio 3d261d5e5765625d2b052be40e526d62b1d2123b] [ 13.147234] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.150446] ? __devm_add_action+0x167/0x1d0 [ 13.155061] hid_gyro_3d_probe+0x120/0x7f0 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172] [ 13.158581] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.161814] platform_probe+0xa2/0x150 [ 13.165029] really_probe+0x1e3/0x8a0 [ 13.168243] __driver_probe_device+0x18c/0x370 [ 13.171500] driver_probe_device+0x4a/0x120 [ 13.175000] __driver_attach+0x190/0x4a0 [ 13.178521] ? __pfx___driver_attach+0x10/0x10 [ 13.181771] bus_for_each_dev+0x106/0x180 [ 13.185033] ? __pfx__raw_spin_lock+0x10/0x10 [ 13.188229] ? __pfx_bus_for_each_dev+0x10/0x10 [ 13.191446] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.194382] bus_add_driver+0x29e/0x4d0 [ 13.197328] driver_register+0x1a5/0x360 [ 13.200283] ? __pfx_hid_gyro_3d_platform_driver_init+0x10/0x10 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172] [ 13.203362] do_one_initcall+0xa7/0x380 [ 13.206432] ? __pfx_do_one_initcall+0x10/0x10 [ 13.210175] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.213211] ? kasan_unpoison+0x44/0x70 [ 13.216688] do_init_module+0x238/0x750 [ 13.2196 ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-46746 is a use-after-free vulnerability identified in the Linux kernel's Human Interface Device (HID) subsystem, specifically within the amd_sfh driver. The vulnerability arises because the driver frees its driver_data structure prematurely, before the hid_destroy_device() function returns. Since the HID driver callbacks continue to be invoked until hid_destroy_device() completes, the driver_data is accessed after it has been freed, leading to a use-after-free condition. This was observed on kernel version 6.10.0 with Kernel Address Sanitizer (KASAN) enabled, which detected slab-use-after-free errors during the amd_sfh_get_report() function execution. The vulnerability can cause kernel crashes and potentially lead to arbitrary code execution or privilege escalation if exploited. The issue affects Linux kernel versions that include the vulnerable amd_sfh HID driver implementation prior to the patch that corrects the timing of freeing driver_data. The vulnerability is rooted in improper lifecycle management of driver data structures in the HID subsystem, which is critical for input device handling on Linux systems. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The vulnerability was publicly disclosed on September 18, 2024, and is relevant to systems running affected Linux kernel versions, particularly those using hardware with the amd_sfh HID driver, such as certain Lenovo ThinkPad models (e.g., T14s Gen 3) and potentially other AMD-based devices with similar HID implementations.
Potential Impact
For European organizations, the impact of CVE-2024-46746 can be significant, especially for enterprises and government agencies relying on Linux-based systems for critical infrastructure, development environments, or endpoint devices. The vulnerability can cause system instability through kernel crashes, leading to denial of service. More critically, exploitation could allow attackers to execute arbitrary code with kernel privileges, compromising system confidentiality, integrity, and availability. This poses risks to sensitive data, operational continuity, and regulatory compliance under frameworks like GDPR. Organizations using Linux distributions with kernels incorporating the vulnerable amd_sfh driver, particularly on AMD hardware, may face elevated risks. The vulnerability could be leveraged in targeted attacks or by malware to escalate privileges and persist on systems. Given the widespread use of Linux in European data centers, cloud environments, and embedded systems, the threat surface is broad. However, exploitation requires local access or user-level code execution, limiting remote attack vectors but not eliminating insider threats or malware-based exploitation.
Mitigation Recommendations
1. Immediate patching: Apply the latest Linux kernel updates from trusted distributors that include the fix for CVE-2024-46746. Monitor vendor advisories for patched kernel versions. 2. Kernel version management: Avoid deploying or continue using kernel versions prior to the fix, especially on AMD hardware with the amd_sfh HID driver. 3. Access control: Restrict local user privileges to minimize the risk of unprivileged users exploiting the vulnerability. 4. Enable kernel hardening features: Use security modules like SELinux or AppArmor to limit the impact of potential kernel exploits. 5. Monitor system logs: Implement monitoring for kernel crash logs or unusual HID driver activity that could indicate exploitation attempts. 6. Use KASAN or similar debugging tools in testing environments to detect memory corruption issues proactively. 7. For critical environments, consider isolating vulnerable systems or using virtualization/containerization to limit exposure until patches are applied. 8. Educate system administrators about the vulnerability and the importance of timely kernel updates, especially on AMD-based Linux systems.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-09-11T15:12:18.266Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9826c4522896dcbe1191
Added to database: 5/21/2025, 9:08:54 AM
Last enriched: 6/29/2025, 1:11:21 AM
Last updated: 8/1/2025, 6:55:58 AM
Views: 11
Related Threats
Researcher to release exploit for full auth bypass on FortiWeb
HighCVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.