CVE-2024-46788: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: tracing/osnoise: Use a cpumask to know what threads are kthreads The start_kthread() and stop_thread() code was not always called with the interface_lock held. This means that the kthread variable could be unexpectedly changed causing the kthread_stop() to be called on it when it should not have been, leading to: while true; do rtla timerlat top -u -q & PID=$!; sleep 5; kill -INT $PID; sleep 0.001; kill -TERM $PID; wait $PID; done Causing the following OOPS: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] CPU: 5 UID: 0 PID: 885 Comm: timerlatu/5 Not tainted 6.11.0-rc4-test-00002-gbc754cc76d1b-dirty #125 a533010b71dab205ad2f507188ce8c82203b0254 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:hrtimer_active+0x58/0x300 Code: 48 c1 ee 03 41 54 48 01 d1 48 01 d6 55 53 48 83 ec 20 80 39 00 0f 85 30 02 00 00 49 8b 6f 30 4c 8d 75 10 4c 89 f0 48 c1 e8 03 <0f> b6 3c 10 4c 89 f0 83 e0 07 83 c0 03 40 38 f8 7c 09 40 84 ff 0f RSP: 0018:ffff88811d97f940 EFLAGS: 00010202 RAX: 0000000000000002 RBX: ffff88823c6b5b28 RCX: ffffed10478d6b6b RDX: dffffc0000000000 RSI: ffffed10478d6b6c RDI: ffff88823c6b5b28 RBP: 0000000000000000 R08: ffff88823c6b5b58 R09: ffff88823c6b5b60 R10: ffff88811d97f957 R11: 0000000000000010 R12: 00000000000a801d R13: ffff88810d8b35d8 R14: 0000000000000010 R15: ffff88823c6b5b28 FS: 0000000000000000(0000) GS:ffff88823c680000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000561858ad7258 CR3: 000000007729e001 CR4: 0000000000170ef0 Call Trace: <TASK> ? die_addr+0x40/0xa0 ? exc_general_protection+0x154/0x230 ? asm_exc_general_protection+0x26/0x30 ? hrtimer_active+0x58/0x300 ? __pfx_mutex_lock+0x10/0x10 ? __pfx_locks_remove_file+0x10/0x10 hrtimer_cancel+0x15/0x40 timerlat_fd_release+0x8e/0x1f0 ? security_file_release+0x43/0x80 __fput+0x372/0xb10 task_work_run+0x11e/0x1f0 ? _raw_spin_lock+0x85/0xe0 ? __pfx_task_work_run+0x10/0x10 ? poison_slab_object+0x109/0x170 ? do_exit+0x7a0/0x24b0 do_exit+0x7bd/0x24b0 ? __pfx_migrate_enable+0x10/0x10 ? __pfx_do_exit+0x10/0x10 ? __pfx_read_tsc+0x10/0x10 ? ktime_get+0x64/0x140 ? _raw_spin_lock_irq+0x86/0xe0 do_group_exit+0xb0/0x220 get_signal+0x17ba/0x1b50 ? vfs_read+0x179/0xa40 ? timerlat_fd_read+0x30b/0x9d0 ? __pfx_get_signal+0x10/0x10 ? __pfx_timerlat_fd_read+0x10/0x10 arch_do_signal_or_restart+0x8c/0x570 ? __pfx_arch_do_signal_or_restart+0x10/0x10 ? vfs_read+0x179/0xa40 ? ksys_read+0xfe/0x1d0 ? __pfx_ksys_read+0x10/0x10 syscall_exit_to_user_mode+0xbc/0x130 do_syscall_64+0x74/0x110 ? __pfx___rseq_handle_notify_resume+0x10/0x10 ? __pfx_ksys_read+0x10/0x10 ? fpregs_restore_userregs+0xdb/0x1e0 ? fpregs_restore_userregs+0xdb/0x1e0 ? syscall_exit_to_user_mode+0x116/0x130 ? do_syscall_64+0x74/0x110 ? do_syscall_64+0x74/0x110 ? do_syscall_64+0x74/0x110 entry_SYSCALL_64_after_hwframe+0x71/0x79 RIP: 0033:0x7ff0070eca9c Code: Unable to access opcode bytes at 0x7ff0070eca72. RSP: 002b:00007ff006dff8c0 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00007ff0070eca9c RDX: 0000000000000400 RSI: 00007ff006dff9a0 RDI: 0000000000000003 RBP: 00007ff006dffde0 R08: 0000000000000000 R09: 00007ff000000ba0 R10: 00007ff007004b08 R11: 0000000000000246 R12: 0000000000000003 R13: 00007ff006dff9a0 R14: 0000000000000007 R15: 0000000000000008 </TASK> Modules linked in: snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec snd_hwdep snd_hda_core ---[ end trace 0000000000000000 ]--- This is because it would mistakenly call kthread_stop() on a user space thread making it "exit" before it actually exits. Since kthread ---truncated---
AI Analysis
Technical Summary
CVE-2024-46788 is a vulnerability identified in the Linux kernel, specifically within the tracing subsystem related to osnoise and kernel thread (kthread) management. The root cause lies in improper locking of the interface_lock when invoking start_kthread() and stop_thread() functions. This improper synchronization can lead to the kthread variable being unexpectedly modified, causing kthread_stop() to be called on a user-space thread instead of a kernel thread. This premature stopping of a user-space thread can trigger a kernel oops, specifically a general protection fault due to a null pointer dereference, as evidenced by the provided kernel stack trace and error messages. The vulnerability manifests when running certain commands that interact with timerlat utilities, causing repeated crashes and instability in the kernel. The issue arises because the kernel mistakenly treats a user-space thread as a kernel thread and attempts to stop it prematurely, leading to memory corruption and kernel panic scenarios. This vulnerability affects Linux kernel versions around 6.11.0-rc4 and likely other versions with the same flawed locking logic. Although no CVSS score has been assigned yet, the vulnerability is significant due to its potential to cause denial of service via kernel crashes. There are no known exploits in the wild at the time of publication, and no official patches or mitigation links were provided in the source information, indicating the fix may be recent or pending backporting. The vulnerability is technical and requires kernel-level understanding to exploit or mitigate, but it can be triggered by user-space processes interacting with kernel tracing facilities, making it a concern for systems running affected Linux kernels with tracing enabled.
Potential Impact
For European organizations, the impact of CVE-2024-46788 primarily involves system stability and availability risks. Organizations relying on Linux servers, especially those using kernel tracing tools or real-time latency measurement utilities like timerlat, may experience unexpected kernel crashes leading to service interruptions. This can affect critical infrastructure, cloud service providers, and enterprises running Linux-based environments for web hosting, databases, or container orchestration. The vulnerability could be exploited to cause denial of service by crashing the kernel repeatedly, potentially disrupting business operations and causing downtime. While it does not directly expose confidentiality or integrity risks, the availability impact can be severe in environments requiring high uptime and reliability. Additionally, the complexity of the vulnerability means that only skilled attackers or automated tools targeting kernel tracing subsystems could exploit it, reducing the likelihood of widespread exploitation but not eliminating the risk. European organizations with Linux kernel versions around 6.11 or customized kernels incorporating the vulnerable code are at risk until patches are applied. The lack of known exploits suggests a window for proactive mitigation before active attacks emerge.
Mitigation Recommendations
To mitigate CVE-2024-46788, European organizations should: 1) Immediately identify Linux systems running affected kernel versions, particularly those using kernel tracing or timerlat utilities. 2) Apply the latest Linux kernel updates or patches that address this vulnerability as soon as they become available from trusted sources or Linux distributions. 3) Temporarily disable kernel tracing features or related utilities if patching is not immediately feasible, to reduce the attack surface. 4) Implement strict access controls to limit which users or processes can invoke kernel tracing or interact with kthread management interfaces, minimizing the risk of accidental or malicious triggering. 5) Monitor system logs and kernel oops reports for signs of this vulnerability being triggered, enabling early detection of exploitation attempts. 6) For environments using custom or backported kernels, review and audit the relevant kernel code paths to ensure proper locking around start_kthread() and stop_thread() functions. 7) Engage with Linux vendor support channels to obtain official patches and guidance. These steps go beyond generic advice by focusing on kernel tracing subsystem controls and proactive monitoring specific to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-46788: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: tracing/osnoise: Use a cpumask to know what threads are kthreads The start_kthread() and stop_thread() code was not always called with the interface_lock held. This means that the kthread variable could be unexpectedly changed causing the kthread_stop() to be called on it when it should not have been, leading to: while true; do rtla timerlat top -u -q & PID=$!; sleep 5; kill -INT $PID; sleep 0.001; kill -TERM $PID; wait $PID; done Causing the following OOPS: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] CPU: 5 UID: 0 PID: 885 Comm: timerlatu/5 Not tainted 6.11.0-rc4-test-00002-gbc754cc76d1b-dirty #125 a533010b71dab205ad2f507188ce8c82203b0254 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:hrtimer_active+0x58/0x300 Code: 48 c1 ee 03 41 54 48 01 d1 48 01 d6 55 53 48 83 ec 20 80 39 00 0f 85 30 02 00 00 49 8b 6f 30 4c 8d 75 10 4c 89 f0 48 c1 e8 03 <0f> b6 3c 10 4c 89 f0 83 e0 07 83 c0 03 40 38 f8 7c 09 40 84 ff 0f RSP: 0018:ffff88811d97f940 EFLAGS: 00010202 RAX: 0000000000000002 RBX: ffff88823c6b5b28 RCX: ffffed10478d6b6b RDX: dffffc0000000000 RSI: ffffed10478d6b6c RDI: ffff88823c6b5b28 RBP: 0000000000000000 R08: ffff88823c6b5b58 R09: ffff88823c6b5b60 R10: ffff88811d97f957 R11: 0000000000000010 R12: 00000000000a801d R13: ffff88810d8b35d8 R14: 0000000000000010 R15: ffff88823c6b5b28 FS: 0000000000000000(0000) GS:ffff88823c680000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000561858ad7258 CR3: 000000007729e001 CR4: 0000000000170ef0 Call Trace: <TASK> ? die_addr+0x40/0xa0 ? exc_general_protection+0x154/0x230 ? asm_exc_general_protection+0x26/0x30 ? hrtimer_active+0x58/0x300 ? __pfx_mutex_lock+0x10/0x10 ? __pfx_locks_remove_file+0x10/0x10 hrtimer_cancel+0x15/0x40 timerlat_fd_release+0x8e/0x1f0 ? security_file_release+0x43/0x80 __fput+0x372/0xb10 task_work_run+0x11e/0x1f0 ? _raw_spin_lock+0x85/0xe0 ? __pfx_task_work_run+0x10/0x10 ? poison_slab_object+0x109/0x170 ? do_exit+0x7a0/0x24b0 do_exit+0x7bd/0x24b0 ? __pfx_migrate_enable+0x10/0x10 ? __pfx_do_exit+0x10/0x10 ? __pfx_read_tsc+0x10/0x10 ? ktime_get+0x64/0x140 ? _raw_spin_lock_irq+0x86/0xe0 do_group_exit+0xb0/0x220 get_signal+0x17ba/0x1b50 ? vfs_read+0x179/0xa40 ? timerlat_fd_read+0x30b/0x9d0 ? __pfx_get_signal+0x10/0x10 ? __pfx_timerlat_fd_read+0x10/0x10 arch_do_signal_or_restart+0x8c/0x570 ? __pfx_arch_do_signal_or_restart+0x10/0x10 ? vfs_read+0x179/0xa40 ? ksys_read+0xfe/0x1d0 ? __pfx_ksys_read+0x10/0x10 syscall_exit_to_user_mode+0xbc/0x130 do_syscall_64+0x74/0x110 ? __pfx___rseq_handle_notify_resume+0x10/0x10 ? __pfx_ksys_read+0x10/0x10 ? fpregs_restore_userregs+0xdb/0x1e0 ? fpregs_restore_userregs+0xdb/0x1e0 ? syscall_exit_to_user_mode+0x116/0x130 ? do_syscall_64+0x74/0x110 ? do_syscall_64+0x74/0x110 ? do_syscall_64+0x74/0x110 entry_SYSCALL_64_after_hwframe+0x71/0x79 RIP: 0033:0x7ff0070eca9c Code: Unable to access opcode bytes at 0x7ff0070eca72. RSP: 002b:00007ff006dff8c0 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00007ff0070eca9c RDX: 0000000000000400 RSI: 00007ff006dff9a0 RDI: 0000000000000003 RBP: 00007ff006dffde0 R08: 0000000000000000 R09: 00007ff000000ba0 R10: 00007ff007004b08 R11: 0000000000000246 R12: 0000000000000003 R13: 00007ff006dff9a0 R14: 0000000000000007 R15: 0000000000000008 </TASK> Modules linked in: snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec snd_hwdep snd_hda_core ---[ end trace 0000000000000000 ]--- This is because it would mistakenly call kthread_stop() on a user space thread making it "exit" before it actually exits. Since kthread ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-46788 is a vulnerability identified in the Linux kernel, specifically within the tracing subsystem related to osnoise and kernel thread (kthread) management. The root cause lies in improper locking of the interface_lock when invoking start_kthread() and stop_thread() functions. This improper synchronization can lead to the kthread variable being unexpectedly modified, causing kthread_stop() to be called on a user-space thread instead of a kernel thread. This premature stopping of a user-space thread can trigger a kernel oops, specifically a general protection fault due to a null pointer dereference, as evidenced by the provided kernel stack trace and error messages. The vulnerability manifests when running certain commands that interact with timerlat utilities, causing repeated crashes and instability in the kernel. The issue arises because the kernel mistakenly treats a user-space thread as a kernel thread and attempts to stop it prematurely, leading to memory corruption and kernel panic scenarios. This vulnerability affects Linux kernel versions around 6.11.0-rc4 and likely other versions with the same flawed locking logic. Although no CVSS score has been assigned yet, the vulnerability is significant due to its potential to cause denial of service via kernel crashes. There are no known exploits in the wild at the time of publication, and no official patches or mitigation links were provided in the source information, indicating the fix may be recent or pending backporting. The vulnerability is technical and requires kernel-level understanding to exploit or mitigate, but it can be triggered by user-space processes interacting with kernel tracing facilities, making it a concern for systems running affected Linux kernels with tracing enabled.
Potential Impact
For European organizations, the impact of CVE-2024-46788 primarily involves system stability and availability risks. Organizations relying on Linux servers, especially those using kernel tracing tools or real-time latency measurement utilities like timerlat, may experience unexpected kernel crashes leading to service interruptions. This can affect critical infrastructure, cloud service providers, and enterprises running Linux-based environments for web hosting, databases, or container orchestration. The vulnerability could be exploited to cause denial of service by crashing the kernel repeatedly, potentially disrupting business operations and causing downtime. While it does not directly expose confidentiality or integrity risks, the availability impact can be severe in environments requiring high uptime and reliability. Additionally, the complexity of the vulnerability means that only skilled attackers or automated tools targeting kernel tracing subsystems could exploit it, reducing the likelihood of widespread exploitation but not eliminating the risk. European organizations with Linux kernel versions around 6.11 or customized kernels incorporating the vulnerable code are at risk until patches are applied. The lack of known exploits suggests a window for proactive mitigation before active attacks emerge.
Mitigation Recommendations
To mitigate CVE-2024-46788, European organizations should: 1) Immediately identify Linux systems running affected kernel versions, particularly those using kernel tracing or timerlat utilities. 2) Apply the latest Linux kernel updates or patches that address this vulnerability as soon as they become available from trusted sources or Linux distributions. 3) Temporarily disable kernel tracing features or related utilities if patching is not immediately feasible, to reduce the attack surface. 4) Implement strict access controls to limit which users or processes can invoke kernel tracing or interact with kthread management interfaces, minimizing the risk of accidental or malicious triggering. 5) Monitor system logs and kernel oops reports for signs of this vulnerability being triggered, enabling early detection of exploitation attempts. 6) For environments using custom or backported kernels, review and audit the relevant kernel code paths to ensure proper locking around start_kthread() and stop_thread() functions. 7) Engage with Linux vendor support channels to obtain official patches and guidance. These steps go beyond generic advice by focusing on kernel tracing subsystem controls and proactive monitoring specific to this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-09-11T15:12:18.278Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9827c4522896dcbe12ee
Added to database: 5/21/2025, 9:08:55 AM
Last enriched: 6/29/2025, 1:54:38 AM
Last updated: 7/28/2025, 6:39:50 PM
Views: 8
Related Threats
CVE-2025-9039: CWE-277: Insecure Inherited Permissions, CWE-648: Incorrect Use of Privileged APIs in Amazon ECS
MediumCVE-2025-8967: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-54867: CWE-61: UNIX Symbolic Link (Symlink) Following in youki-dev youki
HighCVE-2025-8966: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-8965: Unrestricted Upload in linlinjava litemall
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.