Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

CVE-2024-46798

Disclosure Date: September 18, 2024 •

CVE-2024-46798 CVSS v3 Base Score: 7.8

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In the Linux kernel, the following vulnerability has been resolved:

ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object

When using kernel with the following extra config,

CONFIG_KASAN=y
CONFIG_KASAN_GENERIC=y
CONFIG_KASAN_INLINE=y
CONFIG_KASAN_VMALLOC=y
CONFIG_FRAME_WARN=4096

kernel detects that snd_pcm_suspend_all() access a freed
‘snd_soc_pcm_runtime’ object when the system is suspended, which
leads to a use-after-free bug:

[ 52.047746] BUG: KASAN: use-after-free in snd_pcm_suspend_all+0x1a8/0x270
[ 52.047765] Read of size 1 at addr ffff0000b9434d50 by task systemd-sleep/2330

[ 52.047785] Call trace:
[ 52.047787] dump_backtrace+0x0/0x3c0
[ 52.047794] show_stack+0x34/0x50
[ 52.047797] dump_stack_lvl+0x68/0x8c
[ 52.047802] print_address_description.constprop.0+0x74/0x2c0
[ 52.047809] kasan_report+0x210/0x230
[ 52.047815] __asan_report_load1_noabort+0x3c/0x50
[ 52.047820] snd_pcm_suspend_all+0x1a8/0x270
[ 52.047824] snd_soc_suspend+0x19c/0x4e0

The snd_pcm_sync_stop() has a NULL check on ‘substream->runtime’ before
making any access. So we need to always set ‘substream->runtime’ to NULL
everytime we kfree() it.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

7.8 High

Impact Score:

5.9

Exploitability Score:

1.8

Vector:

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Local

Attack Complexity (AC):

Low

Privileges Required (PR):

Low

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

linux

Products

linux kernel,
linux kernel 6.11

References

Canonical

CVE-2024-46798 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-46798)

Miscellaneous

https://git.kernel.org/stable/c/993b60c7f93fa1d8ff296b58f646a867e945ae89

https://git.kernel.org/stable/c/8ca21e7a27c66b95a4b215edc8e45e5d66679f9f

https://git.kernel.org/stable/c/3033ed903b4f28b5e1ab66042084fbc2c48f8624

https://git.kernel.org/stable/c/fe5046ca91d631ec432eee3bdb1f1c49b09c8b5e

https://git.kernel.org/stable/c/5d13afd021eb43868fe03cef6da34ad08831ad6d

https://git.kernel.org/stable/c/6a14fad8be178df6c4589667efec1789a3307b4e

https://git.kernel.org/stable/c/b4a90b543d9f62d3ac34ec1ab97fc5334b048565

Rapid7

Unknown

CVE-2024-46798

Unknown

Unknown

None

Low

Local

CVE-2024-46798

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Unknown

CVE-2024-46798

Unknown

Unknown

None

Low

Local

CVE-2024-46798

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification