CVE-2024-27044 – This CVE describes a NULL pointer dereference v... (How to Fix)

Q: What is the severity of CVE-2024-27044?

CVE-2024-27044 has a CVSS score of 5.5 (MEDIUM). This CVE describes a NULL pointer dereference vulnerability in the AMD display driver within the Linux kernel. If exploited, it could cause a kernel panic or system crash, affecting systems running vulnerable Linux kernel versions with AMD graphics hardware. The vulnerability occurs when the 'stream' pointer is accessed before being checked for NULL in the dcn10_set_output_transfer_func() function.

📋 TL;DR

This CVE describes a NULL pointer dereference vulnerability in the AMD display driver within the Linux kernel. If exploited, it could cause a kernel panic or system crash, affecting systems running vulnerable Linux kernel versions with AMD graphics hardware. The vulnerability occurs when the 'stream' pointer is accessed before being checked for NULL in the dcn10_set_output_transfer_func() function.

💻 Affected Systems

Products:

Linux kernel with AMD GPU display driver (drm/amd/display)

Versions: Specific Linux kernel versions containing the vulnerable code (exact versions not specified in CVE, but patches are available in stable branches)

Operating Systems: Linux distributions with vulnerable kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Requires AMD graphics hardware and the vulnerable display driver code path to be triggered.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash and denial of service, potentially causing data loss or system instability.

🟠

Likely Case

System crash or kernel panic requiring reboot, resulting in temporary denial of service.

🟢

If Mitigated

No impact if the vulnerable code path is not triggered or if proper input validation prevents NULL pointer access.

🌐 Internet-Facing: LOW - This is a local kernel vulnerability requiring local access or specific conditions to trigger.

🏢 Internal Only: MEDIUM - Local users or processes could potentially trigger the vulnerability, causing system instability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires triggering the specific code path with a NULL stream pointer, which may require specific conditions or malicious input to the display subsystem.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patches available in Linux kernel stable branches (commits: 14613d52bc7fc180df6d2c65ba65fc921fc1dda7, 29fde8895b2fcc33f44aea28c644ce2d9b62f9e0, 2d9fe7787af01188dc470a649bdbb842d6511fd7, 330caa061af53ea6d287d7c43d0703714e510e08, 6ac7c7a3a9ab57aba0fe78ecb922d2b20e16efeb)

Vendor Advisory: https://git.kernel.org/stable/c/14613d52bc7fc180df6d2c65ba65fc921fc1dda7

Restart Required: Yes

Instructions:

1. Update Linux kernel to a version containing the fix. 2. Check if your distribution has released security updates. 3. Reboot system after kernel update.

🔧 Temporary Workarounds

Disable vulnerable AMD display features

linux

Potentially disable specific AMD display features or use different graphics drivers if possible

🧯 If You Can't Patch

Restrict local user access to systems with vulnerable kernels
Implement monitoring for kernel panics and system crashes

🔍 How to Verify

Check if Vulnerable:

Check kernel version and verify if it contains the vulnerable code from dcn10_hwseq.c around line 1875-1892

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is updated to include one of the fix commits, or check that the NULL pointer check occurs before dereference in dcn10_set_output_transfer_func()

📡 Detection & Monitoring

Log Indicators:

Kernel panic logs
System crash dumps
AMD display driver error messages

SIEM Query:

Search for kernel panic events or system crash reports in system logs

📊 Metadata

CVE ID: CVE-2024-27044

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

Published: May 1, 2024

Last Updated: December 23, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-27044, you might also want to check these: