CVE-2024-46785: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: eventfs: Use list_del_rcu() for SRCU protected list variable Chi Zhiling reported: We found a null pointer accessing in tracefs[1], the reason is that the variable 'ei_child' is set to LIST_POISON1, that means the list was removed in eventfs_remove_rec. so when access the ei_child->is_freed, the panic triggered. by the way, the following script can reproduce this panic loop1 (){ while true do echo "p:kp submit_bio" > /sys/kernel/debug/tracing/kprobe_events echo "" > /sys/kernel/debug/tracing/kprobe_events done } loop2 (){ while true do tree /sys/kernel/debug/tracing/events/kprobes/ done } loop1 & loop2 [1]: [ 1147.959632][T17331] Unable to handle kernel paging request at virtual address dead000000000150 [ 1147.968239][T17331] Mem abort info: [ 1147.971739][T17331] ESR = 0x0000000096000004 [ 1147.976172][T17331] EC = 0x25: DABT (current EL), IL = 32 bits [ 1147.982171][T17331] SET = 0, FnV = 0 [ 1147.985906][T17331] EA = 0, S1PTW = 0 [ 1147.989734][T17331] FSC = 0x04: level 0 translation fault [ 1147.995292][T17331] Data abort info: [ 1147.998858][T17331] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 1148.005023][T17331] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 1148.010759][T17331] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 1148.016752][T17331] [dead000000000150] address between user and kernel address ranges [ 1148.024571][T17331] Internal error: Oops: 0000000096000004 [#1] SMP [ 1148.030825][T17331] Modules linked in: team_mode_loadbalance team nlmon act_gact cls_flower sch_ingress bonding tls macvlan dummy ib_core bridge stp llc veth amdgpu amdxcp mfd_core gpu_sched drm_exec drm_buddy radeon crct10dif_ce video drm_suballoc_helper ghash_ce drm_ttm_helper sha2_ce ttm sha256_arm64 i2c_algo_bit sha1_ce sbsa_gwdt cp210x drm_display_helper cec sr_mod cdrom drm_kms_helper binfmt_misc sg loop fuse drm dm_mod nfnetlink ip_tables autofs4 [last unloaded: tls] [ 1148.072808][T17331] CPU: 3 PID: 17331 Comm: ls Tainted: G W ------- ---- 6.6.43 #2 [ 1148.081751][T17331] Source Version: 21b3b386e948bedd29369af66f3e98ab01b1c650 [ 1148.088783][T17331] Hardware name: Greatwall GW-001M1A-FTF/GW-001M1A-FTF, BIOS KunLun BIOS V4.0 07/16/2020 [ 1148.098419][T17331] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 1148.106060][T17331] pc : eventfs_iterate+0x2c0/0x398 [ 1148.111017][T17331] lr : eventfs_iterate+0x2fc/0x398 [ 1148.115969][T17331] sp : ffff80008d56bbd0 [ 1148.119964][T17331] x29: ffff80008d56bbf0 x28: ffff001ff5be2600 x27: 0000000000000000 [ 1148.127781][T17331] x26: ffff001ff52ca4e0 x25: 0000000000009977 x24: dead000000000100 [ 1148.135598][T17331] x23: 0000000000000000 x22: 000000000000000b x21: ffff800082645f10 [ 1148.143415][T17331] x20: ffff001fddf87c70 x19: ffff80008d56bc90 x18: 0000000000000000 [ 1148.151231][T17331] x17: 0000000000000000 x16: 0000000000000000 x15: ffff001ff52ca4e0 [ 1148.159048][T17331] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 1148.166864][T17331] x11: 0000000000000000 x10: 0000000000000000 x9 : ffff8000804391d0 [ 1148.174680][T17331] x8 : 0000000180000000 x7 : 0000000000000018 x6 : 0000aaab04b92862 [ 1148.182498][T17331] x5 : 0000aaab04b92862 x4 : 0000000080000000 x3 : 0000000000000068 [ 1148.190314][T17331] x2 : 000000000000000f x1 : 0000000000007ea8 x0 : 0000000000000001 [ 1148.198131][T17331] Call trace: [ 1148.201259][T17331] eventfs_iterate+0x2c0/0x398 [ 1148.205864][T17331] iterate_dir+0x98/0x188 [ 1148.210036][T17331] __arm64_sys_getdents64+0x78/0x160 [ 1148.215161][T17331] invoke_syscall+0x78/0x108 [ 1148.219593][T17331] el0_svc_common.constprop.0+0x48/0xf0 [ 1148.224977][T17331] do_el0_svc+0x24/0x38 [ 1148.228974][T17331] el0_svc+0x40/0x168 [ 1148.232798][T17 ---truncated---
AI Analysis
Technical Summary
CVE-2024-46785 is a vulnerability identified in the Linux kernel's eventfs subsystem, specifically related to the handling of SRCU (Sleepable Read-Copy Update) protected list variables. The root cause is a null pointer dereference triggered when the variable 'ei_child' is set to LIST_POISON1, indicating that the list element has been removed by the eventfs_remove_rec function. Accessing the member 'ei_child->is_freed' after the list removal leads to a kernel panic due to an invalid memory access. The vulnerability can be reproduced by concurrently executing two loops: one rapidly adding and removing kprobe events via the debugfs interface, and another listing the kprobe events directory. This causes a race condition that triggers the null pointer dereference and consequent kernel crash. The kernel panic logs show an 'Unable to handle kernel paging request' error, with detailed ARM64 architecture-specific memory abort information, confirming the invalid memory access. The vulnerability affects multiple Linux kernel versions as indicated by the affected commit hashes. No known exploits are currently reported in the wild. The issue was reported by Chi Zhiling and has been addressed by replacing the unsafe list removal with the safer list_del_rcu() function, which is appropriate for SRCU-protected lists, preventing the use-after-free condition. This vulnerability is a denial-of-service (DoS) type, causing system instability and crashes when triggered. It requires local access to the debugfs tracing interface, which is typically restricted to privileged users, limiting the attack surface to authorized users or processes. However, on systems where debugfs is exposed or accessible to untrusted users, this vulnerability could be exploited to cause kernel panics and system outages.
Potential Impact
For European organizations, the impact of CVE-2024-46785 primarily involves potential denial-of-service conditions on Linux-based systems. Many European enterprises, government agencies, and critical infrastructure operators rely heavily on Linux servers and embedded devices. A kernel panic induced by this vulnerability would cause system crashes, leading to service interruptions, potential data loss, and operational downtime. This could affect cloud service providers, telecommunications infrastructure, financial institutions, and industrial control systems that utilize Linux kernels vulnerable to this flaw. Although exploitation requires local access and interaction with debugfs, insider threats or compromised accounts could leverage this vulnerability to disrupt services. Additionally, development and testing environments that enable debugfs for tracing might be more exposed. The vulnerability does not directly lead to privilege escalation or remote code execution but can be leveraged as part of a broader attack chain to degrade system availability. Organizations with high availability requirements or those operating critical services should prioritize patching to avoid service disruptions. The lack of known exploits reduces immediate risk, but the vulnerability's presence in widely deployed Linux kernels necessitates proactive mitigation.
Mitigation Recommendations
1. Apply the official Linux kernel patches that replace the unsafe list removal with list_del_rcu() in the eventfs subsystem to eliminate the null pointer dereference and race condition. 2. Restrict access to the debugfs filesystem, especially the tracing and kprobe interfaces, to trusted and authorized users only. Consider mounting debugfs with restrictive permissions or disabling it entirely in production environments where tracing is not required. 3. Implement kernel lockdown features and mandatory access controls (e.g., SELinux, AppArmor) to limit the ability of unprivileged users to interact with kernel tracing interfaces. 4. Monitor system logs for kernel panics or unusual activity related to debugfs and tracing events to detect potential exploitation attempts. 5. For environments requiring tracing, use controlled and isolated test systems rather than production servers to minimize risk. 6. Educate system administrators and security teams about the vulnerability and ensure timely deployment of kernel updates across all Linux systems. 7. Employ system integrity monitoring tools to detect unauthorized changes or suspicious kernel module activities that could indicate exploitation attempts.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Finland, Poland, Belgium
CVE-2024-46785: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: eventfs: Use list_del_rcu() for SRCU protected list variable Chi Zhiling reported: We found a null pointer accessing in tracefs[1], the reason is that the variable 'ei_child' is set to LIST_POISON1, that means the list was removed in eventfs_remove_rec. so when access the ei_child->is_freed, the panic triggered. by the way, the following script can reproduce this panic loop1 (){ while true do echo "p:kp submit_bio" > /sys/kernel/debug/tracing/kprobe_events echo "" > /sys/kernel/debug/tracing/kprobe_events done } loop2 (){ while true do tree /sys/kernel/debug/tracing/events/kprobes/ done } loop1 & loop2 [1]: [ 1147.959632][T17331] Unable to handle kernel paging request at virtual address dead000000000150 [ 1147.968239][T17331] Mem abort info: [ 1147.971739][T17331] ESR = 0x0000000096000004 [ 1147.976172][T17331] EC = 0x25: DABT (current EL), IL = 32 bits [ 1147.982171][T17331] SET = 0, FnV = 0 [ 1147.985906][T17331] EA = 0, S1PTW = 0 [ 1147.989734][T17331] FSC = 0x04: level 0 translation fault [ 1147.995292][T17331] Data abort info: [ 1147.998858][T17331] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 1148.005023][T17331] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 1148.010759][T17331] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 1148.016752][T17331] [dead000000000150] address between user and kernel address ranges [ 1148.024571][T17331] Internal error: Oops: 0000000096000004 [#1] SMP [ 1148.030825][T17331] Modules linked in: team_mode_loadbalance team nlmon act_gact cls_flower sch_ingress bonding tls macvlan dummy ib_core bridge stp llc veth amdgpu amdxcp mfd_core gpu_sched drm_exec drm_buddy radeon crct10dif_ce video drm_suballoc_helper ghash_ce drm_ttm_helper sha2_ce ttm sha256_arm64 i2c_algo_bit sha1_ce sbsa_gwdt cp210x drm_display_helper cec sr_mod cdrom drm_kms_helper binfmt_misc sg loop fuse drm dm_mod nfnetlink ip_tables autofs4 [last unloaded: tls] [ 1148.072808][T17331] CPU: 3 PID: 17331 Comm: ls Tainted: G W ------- ---- 6.6.43 #2 [ 1148.081751][T17331] Source Version: 21b3b386e948bedd29369af66f3e98ab01b1c650 [ 1148.088783][T17331] Hardware name: Greatwall GW-001M1A-FTF/GW-001M1A-FTF, BIOS KunLun BIOS V4.0 07/16/2020 [ 1148.098419][T17331] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 1148.106060][T17331] pc : eventfs_iterate+0x2c0/0x398 [ 1148.111017][T17331] lr : eventfs_iterate+0x2fc/0x398 [ 1148.115969][T17331] sp : ffff80008d56bbd0 [ 1148.119964][T17331] x29: ffff80008d56bbf0 x28: ffff001ff5be2600 x27: 0000000000000000 [ 1148.127781][T17331] x26: ffff001ff52ca4e0 x25: 0000000000009977 x24: dead000000000100 [ 1148.135598][T17331] x23: 0000000000000000 x22: 000000000000000b x21: ffff800082645f10 [ 1148.143415][T17331] x20: ffff001fddf87c70 x19: ffff80008d56bc90 x18: 0000000000000000 [ 1148.151231][T17331] x17: 0000000000000000 x16: 0000000000000000 x15: ffff001ff52ca4e0 [ 1148.159048][T17331] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 1148.166864][T17331] x11: 0000000000000000 x10: 0000000000000000 x9 : ffff8000804391d0 [ 1148.174680][T17331] x8 : 0000000180000000 x7 : 0000000000000018 x6 : 0000aaab04b92862 [ 1148.182498][T17331] x5 : 0000aaab04b92862 x4 : 0000000080000000 x3 : 0000000000000068 [ 1148.190314][T17331] x2 : 000000000000000f x1 : 0000000000007ea8 x0 : 0000000000000001 [ 1148.198131][T17331] Call trace: [ 1148.201259][T17331] eventfs_iterate+0x2c0/0x398 [ 1148.205864][T17331] iterate_dir+0x98/0x188 [ 1148.210036][T17331] __arm64_sys_getdents64+0x78/0x160 [ 1148.215161][T17331] invoke_syscall+0x78/0x108 [ 1148.219593][T17331] el0_svc_common.constprop.0+0x48/0xf0 [ 1148.224977][T17331] do_el0_svc+0x24/0x38 [ 1148.228974][T17331] el0_svc+0x40/0x168 [ 1148.232798][T17 ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-46785 is a vulnerability identified in the Linux kernel's eventfs subsystem, specifically related to the handling of SRCU (Sleepable Read-Copy Update) protected list variables. The root cause is a null pointer dereference triggered when the variable 'ei_child' is set to LIST_POISON1, indicating that the list element has been removed by the eventfs_remove_rec function. Accessing the member 'ei_child->is_freed' after the list removal leads to a kernel panic due to an invalid memory access. The vulnerability can be reproduced by concurrently executing two loops: one rapidly adding and removing kprobe events via the debugfs interface, and another listing the kprobe events directory. This causes a race condition that triggers the null pointer dereference and consequent kernel crash. The kernel panic logs show an 'Unable to handle kernel paging request' error, with detailed ARM64 architecture-specific memory abort information, confirming the invalid memory access. The vulnerability affects multiple Linux kernel versions as indicated by the affected commit hashes. No known exploits are currently reported in the wild. The issue was reported by Chi Zhiling and has been addressed by replacing the unsafe list removal with the safer list_del_rcu() function, which is appropriate for SRCU-protected lists, preventing the use-after-free condition. This vulnerability is a denial-of-service (DoS) type, causing system instability and crashes when triggered. It requires local access to the debugfs tracing interface, which is typically restricted to privileged users, limiting the attack surface to authorized users or processes. However, on systems where debugfs is exposed or accessible to untrusted users, this vulnerability could be exploited to cause kernel panics and system outages.
Potential Impact
For European organizations, the impact of CVE-2024-46785 primarily involves potential denial-of-service conditions on Linux-based systems. Many European enterprises, government agencies, and critical infrastructure operators rely heavily on Linux servers and embedded devices. A kernel panic induced by this vulnerability would cause system crashes, leading to service interruptions, potential data loss, and operational downtime. This could affect cloud service providers, telecommunications infrastructure, financial institutions, and industrial control systems that utilize Linux kernels vulnerable to this flaw. Although exploitation requires local access and interaction with debugfs, insider threats or compromised accounts could leverage this vulnerability to disrupt services. Additionally, development and testing environments that enable debugfs for tracing might be more exposed. The vulnerability does not directly lead to privilege escalation or remote code execution but can be leveraged as part of a broader attack chain to degrade system availability. Organizations with high availability requirements or those operating critical services should prioritize patching to avoid service disruptions. The lack of known exploits reduces immediate risk, but the vulnerability's presence in widely deployed Linux kernels necessitates proactive mitigation.
Mitigation Recommendations
1. Apply the official Linux kernel patches that replace the unsafe list removal with list_del_rcu() in the eventfs subsystem to eliminate the null pointer dereference and race condition. 2. Restrict access to the debugfs filesystem, especially the tracing and kprobe interfaces, to trusted and authorized users only. Consider mounting debugfs with restrictive permissions or disabling it entirely in production environments where tracing is not required. 3. Implement kernel lockdown features and mandatory access controls (e.g., SELinux, AppArmor) to limit the ability of unprivileged users to interact with kernel tracing interfaces. 4. Monitor system logs for kernel panics or unusual activity related to debugfs and tracing events to detect potential exploitation attempts. 5. For environments requiring tracing, use controlled and isolated test systems rather than production servers to minimize risk. 6. Educate system administrators and security teams about the vulnerability and ensure timely deployment of kernel updates across all Linux systems. 7. Employ system integrity monitoring tools to detect unauthorized changes or suspicious kernel module activities that could indicate exploitation attempts.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-09-11T15:12:18.277Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9820c4522896dcbdcdf8
Added to database: 5/21/2025, 9:08:48 AM
Last enriched: 6/27/2025, 9:13:09 PM
Last updated: 8/4/2025, 9:23:30 AM
Views: 16
Related Threats
CVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighCVE-2025-8105: CWE-94 Improper Control of Generation of Code ('Code Injection') in pencidesign Soledad
HighCVE-2025-8719: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in reubenthiessen Translate This gTranslate Shortcode
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.