CVE-2024-49886: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug Attaching SST PCI device to VM causes "BUG: KASAN: slab-out-of-bounds". kasan report: [ 19.411889] ================================================================== [ 19.413702] BUG: KASAN: slab-out-of-bounds in _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common] [ 19.415634] Read of size 8 at addr ffff888829e65200 by task cpuhp/16/113 [ 19.417368] [ 19.418627] CPU: 16 PID: 113 Comm: cpuhp/16 Tainted: G E 6.9.0 #10 [ 19.420435] Hardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.20192059.B64.2207280713 07/28/2022 [ 19.422687] Call Trace: [ 19.424091] <TASK> [ 19.425448] dump_stack_lvl+0x5d/0x80 [ 19.426963] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common] [ 19.428694] print_report+0x19d/0x52e [ 19.430206] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 19.431837] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common] [ 19.433539] kasan_report+0xf0/0x170 [ 19.435019] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common] [ 19.436709] _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common] [ 19.438379] ? __pfx_sched_clock_cpu+0x10/0x10 [ 19.439910] isst_if_cpu_online+0x406/0x58f [isst_if_common] [ 19.441573] ? __pfx_isst_if_cpu_online+0x10/0x10 [isst_if_common] [ 19.443263] ? ttwu_queue_wakelist+0x2c1/0x360 [ 19.444797] cpuhp_invoke_callback+0x221/0xec0 [ 19.446337] cpuhp_thread_fun+0x21b/0x610 [ 19.447814] ? __pfx_cpuhp_thread_fun+0x10/0x10 [ 19.449354] smpboot_thread_fn+0x2e7/0x6e0 [ 19.450859] ? __pfx_smpboot_thread_fn+0x10/0x10 [ 19.452405] kthread+0x29c/0x350 [ 19.453817] ? __pfx_kthread+0x10/0x10 [ 19.455253] ret_from_fork+0x31/0x70 [ 19.456685] ? __pfx_kthread+0x10/0x10 [ 19.458114] ret_from_fork_asm+0x1a/0x30 [ 19.459573] </TASK> [ 19.460853] [ 19.462055] Allocated by task 1198: [ 19.463410] kasan_save_stack+0x30/0x50 [ 19.464788] kasan_save_track+0x14/0x30 [ 19.466139] __kasan_kmalloc+0xaa/0xb0 [ 19.467465] __kmalloc+0x1cd/0x470 [ 19.468748] isst_if_cdev_register+0x1da/0x350 [isst_if_common] [ 19.470233] isst_if_mbox_init+0x108/0xff0 [isst_if_mbox_msr] [ 19.471670] do_one_initcall+0xa4/0x380 [ 19.472903] do_init_module+0x238/0x760 [ 19.474105] load_module+0x5239/0x6f00 [ 19.475285] init_module_from_file+0xd1/0x130 [ 19.476506] idempotent_init_module+0x23b/0x650 [ 19.477725] __x64_sys_finit_module+0xbe/0x130 [ 19.476506] idempotent_init_module+0x23b/0x650 [ 19.477725] __x64_sys_finit_module+0xbe/0x130 [ 19.478920] do_syscall_64+0x82/0x160 [ 19.480036] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 19.481292] [ 19.482205] The buggy address belongs to the object at ffff888829e65000 which belongs to the cache kmalloc-512 of size 512 [ 19.484818] The buggy address is located 0 bytes to the right of allocated 512-byte region [ffff888829e65000, ffff888829e65200) [ 19.487447] [ 19.488328] The buggy address belongs to the physical page: [ 19.489569] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888829e60c00 pfn:0x829e60 [ 19.491140] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 19.492466] anon flags: 0x57ffffc0000840(slab|head|node=1|zone=2|lastcpupid=0x1fffff) [ 19.493914] page_type: 0xffffffff() [ 19.494988] raw: 0057ffffc0000840 ffff88810004cc80 0000000000000000 0000000000000001 [ 19.496451] raw: ffff888829e60c00 0000000080200018 00000001ffffffff 0000000000000000 [ 19.497906] head: 0057ffffc0000840 ffff88810004cc80 0000000000000000 0000000000000001 [ 19.499379] head: ffff888829e60c00 0000000080200018 00000001ffffffff 0000000000000000 [ 19.500844] head: 0057ffffc0000003 ffffea0020a79801 ffffea0020a79848 00000000ffffffff [ 19.502316] head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000 [ 19.503784] page dumped because: k ---truncated---
AI Analysis
Technical Summary
CVE-2024-49886 is a recently disclosed vulnerability in the Linux kernel affecting the Intel Speed Select Technology (ISST) interface, specifically within the x86 platform code. The vulnerability manifests as a slab-out-of-bounds memory access error detected by Kernel Address Sanitizer (KASAN) when attaching an SST PCI device to a virtual machine (VM). The issue occurs in the function _isst_if_get_pci_dev within the isst_if_common kernel module, where a read operation attempts to access memory just beyond a 512-byte allocated slab cache object. This out-of-bounds read can lead to undefined behavior, including kernel crashes (BUG reports) and potential memory corruption. The vulnerability is triggered during CPU hotplug operations, as indicated by the involvement of the cpuhp kernel thread in the call stack. The bug is reproducible on virtualized environments such as VMware, as shown in the provided logs. The root cause is an off-by-zero error where the code reads exactly at the boundary of the allocated memory region, violating memory safety guarantees. Although no known exploits are reported in the wild, the flaw could be leveraged by a local attacker with privileges to attach SST PCI devices or manipulate CPU hotplug events to cause denial of service via kernel panic or potentially escalate privileges through memory corruption. The vulnerability affects multiple recent Linux kernel versions identified by their git commit hashes, and a patch has been issued to fix the slab-out-of-bounds bug by correcting the memory access logic in the ISST driver code. No CVSS score has been assigned yet, but the technical details and kernel logs confirm a serious memory safety issue within a critical kernel subsystem.
Potential Impact
For European organizations, the impact of CVE-2024-49886 can be significant, especially for those relying on Linux-based virtualized infrastructure and cloud environments. The vulnerability primarily affects systems running Linux kernels with ISST support on x86 platforms, which are common in enterprise data centers and cloud providers across Europe. Exploitation could lead to kernel crashes causing denial of service, disrupting critical services and workloads. In multi-tenant virtualized environments, such as those used by European cloud service providers or large enterprises, an attacker with local access could exploit this flaw to destabilize host systems or potentially escalate privileges, threatening confidentiality and integrity of hosted data. The vulnerability's presence in CPU hotplug and PCI device management code also raises concerns for high-availability systems that dynamically manage hardware resources. Given the widespread use of Linux in European government, financial, and industrial sectors, unpatched systems could face operational disruptions and increased risk of targeted attacks. Although no active exploits are known, the vulnerability's nature and kernel-level impact warrant urgent attention to prevent potential exploitation in sensitive environments.
Mitigation Recommendations
European organizations should prioritize applying the official Linux kernel patches that address CVE-2024-49886 as soon as they become available from their Linux distribution vendors. Until patches are deployed, organizations should consider the following specific mitigations: 1) Restrict and monitor access to virtual machine management interfaces and PCI device attachment capabilities to trusted administrators only, minimizing the risk of local exploitation. 2) Disable or limit the use of Intel Speed Select Technology (ISST) features if not required, reducing the attack surface related to the vulnerable driver. 3) Implement strict kernel module loading policies to prevent unauthorized or untrusted modules from being loaded, which could exploit this vulnerability. 4) Enhance monitoring for kernel crash logs and KASAN reports to detect early signs of exploitation attempts. 5) In virtualized environments, isolate critical workloads and consider using hypervisor-level controls to restrict PCI passthrough features. 6) Coordinate with Linux distribution vendors and cloud providers to ensure timely updates and security advisories are followed. These targeted measures go beyond generic patching advice by focusing on access control, feature minimization, and proactive detection tailored to the vulnerability's characteristics.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2024-49886: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug Attaching SST PCI device to VM causes "BUG: KASAN: slab-out-of-bounds". kasan report: [ 19.411889] ================================================================== [ 19.413702] BUG: KASAN: slab-out-of-bounds in _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common] [ 19.415634] Read of size 8 at addr ffff888829e65200 by task cpuhp/16/113 [ 19.417368] [ 19.418627] CPU: 16 PID: 113 Comm: cpuhp/16 Tainted: G E 6.9.0 #10 [ 19.420435] Hardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.20192059.B64.2207280713 07/28/2022 [ 19.422687] Call Trace: [ 19.424091] <TASK> [ 19.425448] dump_stack_lvl+0x5d/0x80 [ 19.426963] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common] [ 19.428694] print_report+0x19d/0x52e [ 19.430206] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 19.431837] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common] [ 19.433539] kasan_report+0xf0/0x170 [ 19.435019] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common] [ 19.436709] _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common] [ 19.438379] ? __pfx_sched_clock_cpu+0x10/0x10 [ 19.439910] isst_if_cpu_online+0x406/0x58f [isst_if_common] [ 19.441573] ? __pfx_isst_if_cpu_online+0x10/0x10 [isst_if_common] [ 19.443263] ? ttwu_queue_wakelist+0x2c1/0x360 [ 19.444797] cpuhp_invoke_callback+0x221/0xec0 [ 19.446337] cpuhp_thread_fun+0x21b/0x610 [ 19.447814] ? __pfx_cpuhp_thread_fun+0x10/0x10 [ 19.449354] smpboot_thread_fn+0x2e7/0x6e0 [ 19.450859] ? __pfx_smpboot_thread_fn+0x10/0x10 [ 19.452405] kthread+0x29c/0x350 [ 19.453817] ? __pfx_kthread+0x10/0x10 [ 19.455253] ret_from_fork+0x31/0x70 [ 19.456685] ? __pfx_kthread+0x10/0x10 [ 19.458114] ret_from_fork_asm+0x1a/0x30 [ 19.459573] </TASK> [ 19.460853] [ 19.462055] Allocated by task 1198: [ 19.463410] kasan_save_stack+0x30/0x50 [ 19.464788] kasan_save_track+0x14/0x30 [ 19.466139] __kasan_kmalloc+0xaa/0xb0 [ 19.467465] __kmalloc+0x1cd/0x470 [ 19.468748] isst_if_cdev_register+0x1da/0x350 [isst_if_common] [ 19.470233] isst_if_mbox_init+0x108/0xff0 [isst_if_mbox_msr] [ 19.471670] do_one_initcall+0xa4/0x380 [ 19.472903] do_init_module+0x238/0x760 [ 19.474105] load_module+0x5239/0x6f00 [ 19.475285] init_module_from_file+0xd1/0x130 [ 19.476506] idempotent_init_module+0x23b/0x650 [ 19.477725] __x64_sys_finit_module+0xbe/0x130 [ 19.476506] idempotent_init_module+0x23b/0x650 [ 19.477725] __x64_sys_finit_module+0xbe/0x130 [ 19.478920] do_syscall_64+0x82/0x160 [ 19.480036] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 19.481292] [ 19.482205] The buggy address belongs to the object at ffff888829e65000 which belongs to the cache kmalloc-512 of size 512 [ 19.484818] The buggy address is located 0 bytes to the right of allocated 512-byte region [ffff888829e65000, ffff888829e65200) [ 19.487447] [ 19.488328] The buggy address belongs to the physical page: [ 19.489569] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888829e60c00 pfn:0x829e60 [ 19.491140] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 19.492466] anon flags: 0x57ffffc0000840(slab|head|node=1|zone=2|lastcpupid=0x1fffff) [ 19.493914] page_type: 0xffffffff() [ 19.494988] raw: 0057ffffc0000840 ffff88810004cc80 0000000000000000 0000000000000001 [ 19.496451] raw: ffff888829e60c00 0000000080200018 00000001ffffffff 0000000000000000 [ 19.497906] head: 0057ffffc0000840 ffff88810004cc80 0000000000000000 0000000000000001 [ 19.499379] head: ffff888829e60c00 0000000080200018 00000001ffffffff 0000000000000000 [ 19.500844] head: 0057ffffc0000003 ffffea0020a79801 ffffea0020a79848 00000000ffffffff [ 19.502316] head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000 [ 19.503784] page dumped because: k ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-49886 is a recently disclosed vulnerability in the Linux kernel affecting the Intel Speed Select Technology (ISST) interface, specifically within the x86 platform code. The vulnerability manifests as a slab-out-of-bounds memory access error detected by Kernel Address Sanitizer (KASAN) when attaching an SST PCI device to a virtual machine (VM). The issue occurs in the function _isst_if_get_pci_dev within the isst_if_common kernel module, where a read operation attempts to access memory just beyond a 512-byte allocated slab cache object. This out-of-bounds read can lead to undefined behavior, including kernel crashes (BUG reports) and potential memory corruption. The vulnerability is triggered during CPU hotplug operations, as indicated by the involvement of the cpuhp kernel thread in the call stack. The bug is reproducible on virtualized environments such as VMware, as shown in the provided logs. The root cause is an off-by-zero error where the code reads exactly at the boundary of the allocated memory region, violating memory safety guarantees. Although no known exploits are reported in the wild, the flaw could be leveraged by a local attacker with privileges to attach SST PCI devices or manipulate CPU hotplug events to cause denial of service via kernel panic or potentially escalate privileges through memory corruption. The vulnerability affects multiple recent Linux kernel versions identified by their git commit hashes, and a patch has been issued to fix the slab-out-of-bounds bug by correcting the memory access logic in the ISST driver code. No CVSS score has been assigned yet, but the technical details and kernel logs confirm a serious memory safety issue within a critical kernel subsystem.
Potential Impact
For European organizations, the impact of CVE-2024-49886 can be significant, especially for those relying on Linux-based virtualized infrastructure and cloud environments. The vulnerability primarily affects systems running Linux kernels with ISST support on x86 platforms, which are common in enterprise data centers and cloud providers across Europe. Exploitation could lead to kernel crashes causing denial of service, disrupting critical services and workloads. In multi-tenant virtualized environments, such as those used by European cloud service providers or large enterprises, an attacker with local access could exploit this flaw to destabilize host systems or potentially escalate privileges, threatening confidentiality and integrity of hosted data. The vulnerability's presence in CPU hotplug and PCI device management code also raises concerns for high-availability systems that dynamically manage hardware resources. Given the widespread use of Linux in European government, financial, and industrial sectors, unpatched systems could face operational disruptions and increased risk of targeted attacks. Although no active exploits are known, the vulnerability's nature and kernel-level impact warrant urgent attention to prevent potential exploitation in sensitive environments.
Mitigation Recommendations
European organizations should prioritize applying the official Linux kernel patches that address CVE-2024-49886 as soon as they become available from their Linux distribution vendors. Until patches are deployed, organizations should consider the following specific mitigations: 1) Restrict and monitor access to virtual machine management interfaces and PCI device attachment capabilities to trusted administrators only, minimizing the risk of local exploitation. 2) Disable or limit the use of Intel Speed Select Technology (ISST) features if not required, reducing the attack surface related to the vulnerable driver. 3) Implement strict kernel module loading policies to prevent unauthorized or untrusted modules from being loaded, which could exploit this vulnerability. 4) Enhance monitoring for kernel crash logs and KASAN reports to detect early signs of exploitation attempts. 5) In virtualized environments, isolate critical workloads and consider using hypervisor-level controls to restrict PCI passthrough features. 6) Coordinate with Linux distribution vendors and cloud providers to ensure timely updates and security advisories are followed. These targeted measures go beyond generic patching advice by focusing on access control, feature minimization, and proactive detection tailored to the vulnerability's characteristics.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-10-21T12:17:06.022Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9825c4522896dcbe08b3
Added to database: 5/21/2025, 9:08:53 AM
Last enriched: 6/28/2025, 9:12:26 PM
Last updated: 7/21/2025, 7:55:16 PM
Views: 6
Related Threats
CVE-2025-8233: SQL Injection in code-projects Online Ordering System
MediumCVE-2025-8232: SQL Injection in code-projects Online Ordering System
MediumCVE-2025-8231: Hard-coded Credentials in D-Link DIR-890L
HighCVE-2025-8230: SQL Injection in Campcodes Courier Management System
MediumCVE-2025-8229: SQL Injection in Campcodes Courier Management System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.