CVE-2024-46853: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: spi: nxp-fspi: fix the KASAN report out-of-bounds bug Change the memcpy length to fix the out-of-bounds issue when writing the data that is not 4 byte aligned to TX FIFO. To reproduce the issue, write 3 bytes data to NOR chip. dd if=3b of=/dev/mtd0 [ 36.926103] ================================================================== [ 36.933409] BUG: KASAN: slab-out-of-bounds in nxp_fspi_exec_op+0x26ec/0x2838 [ 36.940514] Read of size 4 at addr ffff00081037c2a0 by task dd/455 [ 36.946721] [ 36.948235] CPU: 3 UID: 0 PID: 455 Comm: dd Not tainted 6.11.0-rc5-gc7b0e37c8434 #1070 [ 36.956185] Hardware name: Freescale i.MX8QM MEK (DT) [ 36.961260] Call trace: [ 36.963723] dump_backtrace+0x90/0xe8 [ 36.967414] show_stack+0x18/0x24 [ 36.970749] dump_stack_lvl+0x78/0x90 [ 36.974451] print_report+0x114/0x5cc [ 36.978151] kasan_report+0xa4/0xf0 [ 36.981670] __asan_report_load_n_noabort+0x1c/0x28 [ 36.986587] nxp_fspi_exec_op+0x26ec/0x2838 [ 36.990800] spi_mem_exec_op+0x8ec/0xd30 [ 36.994762] spi_mem_no_dirmap_read+0x190/0x1e0 [ 36.999323] spi_mem_dirmap_write+0x238/0x32c [ 37.003710] spi_nor_write_data+0x220/0x374 [ 37.007932] spi_nor_write+0x110/0x2e8 [ 37.011711] mtd_write_oob_std+0x154/0x1f0 [ 37.015838] mtd_write_oob+0x104/0x1d0 [ 37.019617] mtd_write+0xb8/0x12c [ 37.022953] mtdchar_write+0x224/0x47c [ 37.026732] vfs_write+0x1e4/0x8c8 [ 37.030163] ksys_write+0xec/0x1d0 [ 37.033586] __arm64_sys_write+0x6c/0x9c [ 37.037539] invoke_syscall+0x6c/0x258 [ 37.041327] el0_svc_common.constprop.0+0x160/0x22c [ 37.046244] do_el0_svc+0x44/0x5c [ 37.049589] el0_svc+0x38/0x78 [ 37.052681] el0t_64_sync_handler+0x13c/0x158 [ 37.057077] el0t_64_sync+0x190/0x194 [ 37.060775] [ 37.062274] Allocated by task 455: [ 37.065701] kasan_save_stack+0x2c/0x54 [ 37.069570] kasan_save_track+0x20/0x3c [ 37.073438] kasan_save_alloc_info+0x40/0x54 [ 37.077736] __kasan_kmalloc+0xa0/0xb8 [ 37.081515] __kmalloc_noprof+0x158/0x2f8 [ 37.085563] mtd_kmalloc_up_to+0x120/0x154 [ 37.089690] mtdchar_write+0x130/0x47c [ 37.093469] vfs_write+0x1e4/0x8c8 [ 37.096901] ksys_write+0xec/0x1d0 [ 37.100332] __arm64_sys_write+0x6c/0x9c [ 37.104287] invoke_syscall+0x6c/0x258 [ 37.108064] el0_svc_common.constprop.0+0x160/0x22c [ 37.112972] do_el0_svc+0x44/0x5c [ 37.116319] el0_svc+0x38/0x78 [ 37.119401] el0t_64_sync_handler+0x13c/0x158 [ 37.123788] el0t_64_sync+0x190/0x194 [ 37.127474] [ 37.128977] The buggy address belongs to the object at ffff00081037c2a0 [ 37.128977] which belongs to the cache kmalloc-8 of size 8 [ 37.141177] The buggy address is located 0 bytes inside of [ 37.141177] allocated 3-byte region [ffff00081037c2a0, ffff00081037c2a3) [ 37.153465] [ 37.154971] The buggy address belongs to the physical page: [ 37.160559] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x89037c [ 37.168596] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 37.175149] page_type: 0xfdffffff(slab) [ 37.179021] raw: 0bfffe0000000000 ffff000800002500 dead000000000122 0000000000000000 [ 37.186788] raw: 0000000000000000 0000000080800080 00000001fdffffff 0000000000000000 [ 37.194553] page dumped because: kasan: bad access detected [ 37.200144] [ 37.201647] Memory state around the buggy address: [ 37.206460] ffff00081037c180: fa fc fc fc fa fc fc fc fa fc fc fc fa fc fc fc [ 37.213701] ffff00081037c200: fa fc fc fc 05 fc fc fc 03 fc fc fc 02 fc fc fc [ 37.220946] >ffff00081037c280: 06 fc fc fc 03 fc fc fc fc fc fc fc fc fc fc fc [ 37.228186] ^ [ 37.232473] ffff00081037c300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.239718] ffff00081037c380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.246962] ============================================================== ---truncated---
AI Analysis
Technical Summary
CVE-2024-46853 is a vulnerability identified in the Linux kernel specifically within the NXP FSPI (Flexible Serial Peripheral Interface) driver, which handles communication with SPI NOR flash memory devices. The flaw is a kernel address sanitizer (KASAN) detected out-of-bounds memory access bug caused by improper handling of memcpy length when writing data that is not 4-byte aligned to the TX FIFO buffer. The vulnerability manifests when writing a small amount of data (e.g., 3 bytes) to a NOR flash chip, leading to a slab-out-of-bounds read of 4 bytes at an address allocated for only 3 bytes. This indicates a buffer overflow or over-read condition due to incorrect length parameters in memory copy operations. The bug is triggered by the nxp_fspi_exec_op function during SPI memory operations, which can cause kernel memory corruption or crashes. The detailed kernel stack trace shows the issue arises during mtd (Memory Technology Device) character device write operations, which are common interfaces for flash memory access in embedded Linux systems. The root cause is the memcpy length not being adjusted properly for non-4-byte aligned data, leading to out-of-bounds access. This vulnerability was fixed by correcting the memcpy length calculation to prevent the out-of-bounds write. The affected Linux kernel versions include those containing the vulnerable commit a5356aef6a907c2e2aed0caaa2b88b6021394471. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The vulnerability requires local write access to the MTD device node, which typically implies local user privileges or access to embedded device interfaces. The impact could include kernel crashes (denial of service) or potentially memory corruption that might be leveraged for privilege escalation or arbitrary code execution, depending on the attacker's capabilities and system configuration.
Potential Impact
For European organizations, especially those operating embedded Linux devices or industrial control systems using NXP i.MX processors or similar hardware with FSPI NOR flash, this vulnerability poses a risk of local denial of service or potential privilege escalation. Critical infrastructure sectors such as manufacturing, automotive, telecommunications, and IoT deployments that rely on embedded Linux systems could be affected. The vulnerability could disrupt device availability or be used as a stepping stone for further attacks if combined with other vulnerabilities. Since the flaw requires local access to write to MTD devices, the threat is higher in environments where untrusted users or processes have such access, including multi-tenant systems, development environments, or poorly secured embedded devices. European organizations with supply chains or products incorporating affected hardware and Linux kernel versions must be vigilant. The lack of known exploits reduces immediate risk but does not eliminate the need for prompt remediation given the potential severity of kernel memory corruption bugs.
Mitigation Recommendations
1. Apply the official Linux kernel patches that fix the memcpy length handling in the nxp-fspi driver as soon as they become available. Monitor kernel updates from trusted sources and vendors for patched versions. 2. Restrict access to /dev/mtd* device nodes to trusted and authorized users only, minimizing the risk of unprivileged local users exploiting this vulnerability. 3. Implement strict access controls and sandboxing for processes that interact with SPI flash devices to reduce the attack surface. 4. For embedded devices, ensure secure boot and firmware integrity verification to prevent unauthorized firmware modifications that could exploit this vulnerability. 5. Conduct regular security audits and vulnerability scans on embedded Linux devices in the environment to detect outdated kernel versions or misconfigurations. 6. Employ kernel hardening techniques such as KASLR, SELinux/AppArmor policies, and memory protection features to mitigate exploitation impact. 7. In environments where patching is delayed, consider disabling or restricting SPI NOR flash write operations if feasible, to reduce exposure. 8. Maintain an inventory of embedded devices and Linux kernel versions in use to prioritize patching and risk management efforts.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Sweden, Finland
CVE-2024-46853: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: spi: nxp-fspi: fix the KASAN report out-of-bounds bug Change the memcpy length to fix the out-of-bounds issue when writing the data that is not 4 byte aligned to TX FIFO. To reproduce the issue, write 3 bytes data to NOR chip. dd if=3b of=/dev/mtd0 [ 36.926103] ================================================================== [ 36.933409] BUG: KASAN: slab-out-of-bounds in nxp_fspi_exec_op+0x26ec/0x2838 [ 36.940514] Read of size 4 at addr ffff00081037c2a0 by task dd/455 [ 36.946721] [ 36.948235] CPU: 3 UID: 0 PID: 455 Comm: dd Not tainted 6.11.0-rc5-gc7b0e37c8434 #1070 [ 36.956185] Hardware name: Freescale i.MX8QM MEK (DT) [ 36.961260] Call trace: [ 36.963723] dump_backtrace+0x90/0xe8 [ 36.967414] show_stack+0x18/0x24 [ 36.970749] dump_stack_lvl+0x78/0x90 [ 36.974451] print_report+0x114/0x5cc [ 36.978151] kasan_report+0xa4/0xf0 [ 36.981670] __asan_report_load_n_noabort+0x1c/0x28 [ 36.986587] nxp_fspi_exec_op+0x26ec/0x2838 [ 36.990800] spi_mem_exec_op+0x8ec/0xd30 [ 36.994762] spi_mem_no_dirmap_read+0x190/0x1e0 [ 36.999323] spi_mem_dirmap_write+0x238/0x32c [ 37.003710] spi_nor_write_data+0x220/0x374 [ 37.007932] spi_nor_write+0x110/0x2e8 [ 37.011711] mtd_write_oob_std+0x154/0x1f0 [ 37.015838] mtd_write_oob+0x104/0x1d0 [ 37.019617] mtd_write+0xb8/0x12c [ 37.022953] mtdchar_write+0x224/0x47c [ 37.026732] vfs_write+0x1e4/0x8c8 [ 37.030163] ksys_write+0xec/0x1d0 [ 37.033586] __arm64_sys_write+0x6c/0x9c [ 37.037539] invoke_syscall+0x6c/0x258 [ 37.041327] el0_svc_common.constprop.0+0x160/0x22c [ 37.046244] do_el0_svc+0x44/0x5c [ 37.049589] el0_svc+0x38/0x78 [ 37.052681] el0t_64_sync_handler+0x13c/0x158 [ 37.057077] el0t_64_sync+0x190/0x194 [ 37.060775] [ 37.062274] Allocated by task 455: [ 37.065701] kasan_save_stack+0x2c/0x54 [ 37.069570] kasan_save_track+0x20/0x3c [ 37.073438] kasan_save_alloc_info+0x40/0x54 [ 37.077736] __kasan_kmalloc+0xa0/0xb8 [ 37.081515] __kmalloc_noprof+0x158/0x2f8 [ 37.085563] mtd_kmalloc_up_to+0x120/0x154 [ 37.089690] mtdchar_write+0x130/0x47c [ 37.093469] vfs_write+0x1e4/0x8c8 [ 37.096901] ksys_write+0xec/0x1d0 [ 37.100332] __arm64_sys_write+0x6c/0x9c [ 37.104287] invoke_syscall+0x6c/0x258 [ 37.108064] el0_svc_common.constprop.0+0x160/0x22c [ 37.112972] do_el0_svc+0x44/0x5c [ 37.116319] el0_svc+0x38/0x78 [ 37.119401] el0t_64_sync_handler+0x13c/0x158 [ 37.123788] el0t_64_sync+0x190/0x194 [ 37.127474] [ 37.128977] The buggy address belongs to the object at ffff00081037c2a0 [ 37.128977] which belongs to the cache kmalloc-8 of size 8 [ 37.141177] The buggy address is located 0 bytes inside of [ 37.141177] allocated 3-byte region [ffff00081037c2a0, ffff00081037c2a3) [ 37.153465] [ 37.154971] The buggy address belongs to the physical page: [ 37.160559] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x89037c [ 37.168596] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 37.175149] page_type: 0xfdffffff(slab) [ 37.179021] raw: 0bfffe0000000000 ffff000800002500 dead000000000122 0000000000000000 [ 37.186788] raw: 0000000000000000 0000000080800080 00000001fdffffff 0000000000000000 [ 37.194553] page dumped because: kasan: bad access detected [ 37.200144] [ 37.201647] Memory state around the buggy address: [ 37.206460] ffff00081037c180: fa fc fc fc fa fc fc fc fa fc fc fc fa fc fc fc [ 37.213701] ffff00081037c200: fa fc fc fc 05 fc fc fc 03 fc fc fc 02 fc fc fc [ 37.220946] >ffff00081037c280: 06 fc fc fc 03 fc fc fc fc fc fc fc fc fc fc fc [ 37.228186] ^ [ 37.232473] ffff00081037c300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.239718] ffff00081037c380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.246962] ============================================================== ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-46853 is a vulnerability identified in the Linux kernel specifically within the NXP FSPI (Flexible Serial Peripheral Interface) driver, which handles communication with SPI NOR flash memory devices. The flaw is a kernel address sanitizer (KASAN) detected out-of-bounds memory access bug caused by improper handling of memcpy length when writing data that is not 4-byte aligned to the TX FIFO buffer. The vulnerability manifests when writing a small amount of data (e.g., 3 bytes) to a NOR flash chip, leading to a slab-out-of-bounds read of 4 bytes at an address allocated for only 3 bytes. This indicates a buffer overflow or over-read condition due to incorrect length parameters in memory copy operations. The bug is triggered by the nxp_fspi_exec_op function during SPI memory operations, which can cause kernel memory corruption or crashes. The detailed kernel stack trace shows the issue arises during mtd (Memory Technology Device) character device write operations, which are common interfaces for flash memory access in embedded Linux systems. The root cause is the memcpy length not being adjusted properly for non-4-byte aligned data, leading to out-of-bounds access. This vulnerability was fixed by correcting the memcpy length calculation to prevent the out-of-bounds write. The affected Linux kernel versions include those containing the vulnerable commit a5356aef6a907c2e2aed0caaa2b88b6021394471. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The vulnerability requires local write access to the MTD device node, which typically implies local user privileges or access to embedded device interfaces. The impact could include kernel crashes (denial of service) or potentially memory corruption that might be leveraged for privilege escalation or arbitrary code execution, depending on the attacker's capabilities and system configuration.
Potential Impact
For European organizations, especially those operating embedded Linux devices or industrial control systems using NXP i.MX processors or similar hardware with FSPI NOR flash, this vulnerability poses a risk of local denial of service or potential privilege escalation. Critical infrastructure sectors such as manufacturing, automotive, telecommunications, and IoT deployments that rely on embedded Linux systems could be affected. The vulnerability could disrupt device availability or be used as a stepping stone for further attacks if combined with other vulnerabilities. Since the flaw requires local access to write to MTD devices, the threat is higher in environments where untrusted users or processes have such access, including multi-tenant systems, development environments, or poorly secured embedded devices. European organizations with supply chains or products incorporating affected hardware and Linux kernel versions must be vigilant. The lack of known exploits reduces immediate risk but does not eliminate the need for prompt remediation given the potential severity of kernel memory corruption bugs.
Mitigation Recommendations
1. Apply the official Linux kernel patches that fix the memcpy length handling in the nxp-fspi driver as soon as they become available. Monitor kernel updates from trusted sources and vendors for patched versions. 2. Restrict access to /dev/mtd* device nodes to trusted and authorized users only, minimizing the risk of unprivileged local users exploiting this vulnerability. 3. Implement strict access controls and sandboxing for processes that interact with SPI flash devices to reduce the attack surface. 4. For embedded devices, ensure secure boot and firmware integrity verification to prevent unauthorized firmware modifications that could exploit this vulnerability. 5. Conduct regular security audits and vulnerability scans on embedded Linux devices in the environment to detect outdated kernel versions or misconfigurations. 6. Employ kernel hardening techniques such as KASLR, SELinux/AppArmor policies, and memory protection features to mitigate exploitation impact. 7. In environments where patching is delayed, consider disabling or restricting SPI NOR flash write operations if feasible, to reduce exposure. 8. Maintain an inventory of embedded devices and Linux kernel versions in use to prioritize patching and risk management efforts.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-09-11T15:12:18.290Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9825c4522896dcbe0344
Added to database: 5/21/2025, 9:08:53 AM
Last enriched: 6/28/2025, 6:42:25 PM
Last updated: 8/12/2025, 10:36:25 PM
Views: 14
Related Threats
CVE-2025-55197: CWE-400: Uncontrolled Resource Consumption in py-pdf pypdf
MediumCVE-2025-8929: SQL Injection in code-projects Medical Store Management System
MediumCVE-2025-8928: SQL Injection in code-projects Medical Store Management System
MediumCVE-2025-34154: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Synergetic Data Systems Inc. UnForm Server Manager
CriticalCVE-2025-8927: Improper Restriction of Excessive Authentication Attempts in mtons mblog
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.