CVE-2024-46848: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Limit the period on Haswell Running the ltp test cve-2015-3290 concurrently reports the following warnings. perfevents: irq loop stuck! WARNING: CPU: 31 PID: 32438 at arch/x86/events/intel/core.c:3174 intel_pmu_handle_irq+0x285/0x370 Call Trace: <NMI> ? __warn+0xa4/0x220 ? intel_pmu_handle_irq+0x285/0x370 ? __report_bug+0x123/0x130 ? intel_pmu_handle_irq+0x285/0x370 ? __report_bug+0x123/0x130 ? intel_pmu_handle_irq+0x285/0x370 ? report_bug+0x3e/0xa0 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x18/0x50 ? asm_exc_invalid_op+0x1a/0x20 ? irq_work_claim+0x1e/0x40 ? intel_pmu_handle_irq+0x285/0x370 perf_event_nmi_handler+0x3d/0x60 nmi_handle+0x104/0x330 Thanks to Thomas Gleixner's analysis, the issue is caused by the low initial period (1) of the frequency estimation algorithm, which triggers the defects of the HW, specifically erratum HSW11 and HSW143. (For the details, please refer https://lore.kernel.org/lkml/87plq9l5d2.ffs@tglx/) The HSW11 requires a period larger than 100 for the INST_RETIRED.ALL event, but the initial period in the freq mode is 1. The erratum is the same as the BDM11, which has been supported in the kernel. A minimum period of 128 is enforced as well on HSW. HSW143 is regarding that the fixed counter 1 may overcount 32 with the Hyper-Threading is enabled. However, based on the test, the hardware has more issues than it tells. Besides the fixed counter 1, the message 'interrupt took too long' can be observed on any counter which was armed with a period < 32 and two events expired in the same NMI. A minimum period of 32 is enforced for the rest of the events. The recommended workaround code of the HSW143 is not implemented. Because it only addresses the issue for the fixed counter. It brings extra overhead through extra MSR writing. No related overcounting issue has been reported so far.
AI Analysis
Technical Summary
CVE-2024-46848 is a vulnerability identified in the Linux kernel's performance monitoring unit (PMU) code for Intel Haswell (HSW) processors. The issue arises from the handling of the period parameter in the frequency estimation algorithm used by the perf subsystem, specifically when monitoring hardware performance events. The vulnerability is triggered by setting an initial period value that is too low (initially 1), which violates hardware errata HSW11 and HSW143 documented for Haswell CPUs. Erratum HSW11 requires a minimum period larger than 100 for the INST_RETIRED.ALL event to avoid hardware defects, but the kernel's initial period was set to 1, leading to erratic behavior and potential system instability. Erratum HSW143 involves overcounting issues on fixed counter 1 when Hyper-Threading is enabled, causing inaccurate event counts and interrupt handling problems. The kernel patch enforces a minimum period of 128 for the INST_RETIRED.ALL event and a minimum period of 32 for other events to mitigate these hardware errata. The vulnerability manifests as warnings such as "perfevents: irq loop stuck!" and "interrupt took too long," indicating that the performance monitoring interrupts are not handled correctly, potentially leading to system performance degradation or instability. The issue was discovered through concurrent execution of the Linux Test Project (LTP) test cve-2015-3290, which revealed these warnings. The recommended workaround for HSW143, which involves additional MSR writes to fix overcounting, was not implemented due to its overhead and limited scope, as no overcounting issues beyond fixed counter 1 have been reported. This vulnerability affects Linux kernel versions containing the specified commit hashes and impacts systems running on Intel Haswell processors with performance monitoring enabled. No known exploits are currently in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2024-46848 is primarily related to system stability and reliability rather than direct security breaches such as data exfiltration or privilege escalation. Systems running Linux kernels with vulnerable versions on Intel Haswell processors may experience performance monitoring inaccuracies, interrupt handling issues, and potential system instability or degraded performance. This can affect critical infrastructure, data centers, and enterprise environments relying on precise performance metrics for monitoring and tuning. Organizations using performance monitoring tools for diagnostics, capacity planning, or security monitoring may receive misleading data, impacting operational decisions. While the vulnerability does not directly expose confidential data or allow unauthorized access, the resulting instability could lead to service disruptions or increased downtime, which is critical for sectors such as finance, healthcare, and manufacturing prevalent in Europe. Additionally, inaccurate performance data could hinder incident response and forensic analysis. Since no known exploits are reported, the immediate risk is moderate, but unpatched systems remain vulnerable to potential future exploitation or cascading failures in complex environments.
Mitigation Recommendations
European organizations should apply the latest Linux kernel patches that enforce minimum period values for performance monitoring events on Haswell processors. Specifically, ensure that kernel versions include the fix that sets the INST_RETIRED.ALL event period to at least 128 and other events to at least 32 to comply with hardware errata HSW11 and HSW143. System administrators should audit their environments to identify systems running vulnerable kernel versions and Intel Haswell CPUs. Disable or limit the use of perf events on affected systems if immediate patching is not feasible, especially in production environments where stability is critical. Monitoring tools and performance analysis workflows should be reviewed to detect anomalies or warnings related to perf events, such as "irq loop stuck" or "interrupt took too long," which may indicate the vulnerability is active. For environments with Hyper-Threading enabled, consider disabling Hyper-Threading temporarily if performance monitoring accuracy is critical and the workaround for HSW143 is not implemented. Engage with Linux distribution vendors to obtain timely updates and backported patches. Finally, incorporate this vulnerability into vulnerability management and patching cycles to ensure ongoing compliance and risk reduction.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Belgium, Finland
CVE-2024-46848: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Limit the period on Haswell Running the ltp test cve-2015-3290 concurrently reports the following warnings. perfevents: irq loop stuck! WARNING: CPU: 31 PID: 32438 at arch/x86/events/intel/core.c:3174 intel_pmu_handle_irq+0x285/0x370 Call Trace: <NMI> ? __warn+0xa4/0x220 ? intel_pmu_handle_irq+0x285/0x370 ? __report_bug+0x123/0x130 ? intel_pmu_handle_irq+0x285/0x370 ? __report_bug+0x123/0x130 ? intel_pmu_handle_irq+0x285/0x370 ? report_bug+0x3e/0xa0 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x18/0x50 ? asm_exc_invalid_op+0x1a/0x20 ? irq_work_claim+0x1e/0x40 ? intel_pmu_handle_irq+0x285/0x370 perf_event_nmi_handler+0x3d/0x60 nmi_handle+0x104/0x330 Thanks to Thomas Gleixner's analysis, the issue is caused by the low initial period (1) of the frequency estimation algorithm, which triggers the defects of the HW, specifically erratum HSW11 and HSW143. (For the details, please refer https://lore.kernel.org/lkml/87plq9l5d2.ffs@tglx/) The HSW11 requires a period larger than 100 for the INST_RETIRED.ALL event, but the initial period in the freq mode is 1. The erratum is the same as the BDM11, which has been supported in the kernel. A minimum period of 128 is enforced as well on HSW. HSW143 is regarding that the fixed counter 1 may overcount 32 with the Hyper-Threading is enabled. However, based on the test, the hardware has more issues than it tells. Besides the fixed counter 1, the message 'interrupt took too long' can be observed on any counter which was armed with a period < 32 and two events expired in the same NMI. A minimum period of 32 is enforced for the rest of the events. The recommended workaround code of the HSW143 is not implemented. Because it only addresses the issue for the fixed counter. It brings extra overhead through extra MSR writing. No related overcounting issue has been reported so far.
AI-Powered Analysis
Technical Analysis
CVE-2024-46848 is a vulnerability identified in the Linux kernel's performance monitoring unit (PMU) code for Intel Haswell (HSW) processors. The issue arises from the handling of the period parameter in the frequency estimation algorithm used by the perf subsystem, specifically when monitoring hardware performance events. The vulnerability is triggered by setting an initial period value that is too low (initially 1), which violates hardware errata HSW11 and HSW143 documented for Haswell CPUs. Erratum HSW11 requires a minimum period larger than 100 for the INST_RETIRED.ALL event to avoid hardware defects, but the kernel's initial period was set to 1, leading to erratic behavior and potential system instability. Erratum HSW143 involves overcounting issues on fixed counter 1 when Hyper-Threading is enabled, causing inaccurate event counts and interrupt handling problems. The kernel patch enforces a minimum period of 128 for the INST_RETIRED.ALL event and a minimum period of 32 for other events to mitigate these hardware errata. The vulnerability manifests as warnings such as "perfevents: irq loop stuck!" and "interrupt took too long," indicating that the performance monitoring interrupts are not handled correctly, potentially leading to system performance degradation or instability. The issue was discovered through concurrent execution of the Linux Test Project (LTP) test cve-2015-3290, which revealed these warnings. The recommended workaround for HSW143, which involves additional MSR writes to fix overcounting, was not implemented due to its overhead and limited scope, as no overcounting issues beyond fixed counter 1 have been reported. This vulnerability affects Linux kernel versions containing the specified commit hashes and impacts systems running on Intel Haswell processors with performance monitoring enabled. No known exploits are currently in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2024-46848 is primarily related to system stability and reliability rather than direct security breaches such as data exfiltration or privilege escalation. Systems running Linux kernels with vulnerable versions on Intel Haswell processors may experience performance monitoring inaccuracies, interrupt handling issues, and potential system instability or degraded performance. This can affect critical infrastructure, data centers, and enterprise environments relying on precise performance metrics for monitoring and tuning. Organizations using performance monitoring tools for diagnostics, capacity planning, or security monitoring may receive misleading data, impacting operational decisions. While the vulnerability does not directly expose confidential data or allow unauthorized access, the resulting instability could lead to service disruptions or increased downtime, which is critical for sectors such as finance, healthcare, and manufacturing prevalent in Europe. Additionally, inaccurate performance data could hinder incident response and forensic analysis. Since no known exploits are reported, the immediate risk is moderate, but unpatched systems remain vulnerable to potential future exploitation or cascading failures in complex environments.
Mitigation Recommendations
European organizations should apply the latest Linux kernel patches that enforce minimum period values for performance monitoring events on Haswell processors. Specifically, ensure that kernel versions include the fix that sets the INST_RETIRED.ALL event period to at least 128 and other events to at least 32 to comply with hardware errata HSW11 and HSW143. System administrators should audit their environments to identify systems running vulnerable kernel versions and Intel Haswell CPUs. Disable or limit the use of perf events on affected systems if immediate patching is not feasible, especially in production environments where stability is critical. Monitoring tools and performance analysis workflows should be reviewed to detect anomalies or warnings related to perf events, such as "irq loop stuck" or "interrupt took too long," which may indicate the vulnerability is active. For environments with Hyper-Threading enabled, consider disabling Hyper-Threading temporarily if performance monitoring accuracy is critical and the workaround for HSW143 is not implemented. Engage with Linux distribution vendors to obtain timely updates and backported patches. Finally, incorporate this vulnerability into vulnerability management and patching cycles to ensure ongoing compliance and risk reduction.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-09-11T15:12:18.290Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9825c4522896dcbe030b
Added to database: 5/21/2025, 9:08:53 AM
Last enriched: 6/28/2025, 6:41:29 PM
Last updated: 8/18/2025, 6:47:07 AM
Views: 13
Related Threats
CVE-2025-55455: n/a
HighCVE-2025-8193
UnknownCVE-2025-9356: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-9355: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-43761: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Liferay Portal
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.