CVE-2024-46689
📋 TL;DR
A memory mapping vulnerability in the Linux kernel's Qualcomm cmd-db driver could cause denial-of-service on affected devices. The driver incorrectly maps shared memory as write-back (WB) instead of write-combining (WC), potentially triggering secure interrupts that lead to endless loops in Trust Zone when using certain hypervisors. This affects Linux systems with Qualcomm SoCs using the cmd-db driver, particularly when running under hypervisors like Xen or KVM.
💻 Affected Systems
- Linux kernel with Qualcomm cmd-db driver
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
System becomes completely unresponsive due to endless secure interrupt loops in Trust Zone, requiring physical power cycle to recover.
Likely Case
System instability or crashes when using non-Qualcomm hypervisors (Xen/KVM) on affected Qualcomm hardware.
If Mitigated
No impact if using Qualcomm Hypervisor or patched kernel versions.
🎯 Exploit Status
Exploitation requires specific hardware (Qualcomm SoC), specific driver usage, and alternative hypervisor configuration. This appears to be a reliability issue rather than a security bypass.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel with commits 0ee9594c974368a17e85a431e9fe1c14fb65c278 or later
Vendor Advisory: https://git.kernel.org/stable/c/0ee9594c974368a17e85a431e9fe1c14fb65c278
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. For distributions: Use package manager to update kernel package. 3. Reboot system to load new kernel.
🔧 Temporary Workarounds
Use Qualcomm Hypervisor
linuxContinue using Qualcomm Hypervisor instead of alternative hypervisors (Xen/KVM)
Disable cmd-db driver
linuxRemove or blacklist the cmd-db driver if not required
echo 'blacklist cmd-db' >> /etc/modprobe.d/blacklist.conf
update-initramfs -u
reboot
🧯 If You Can't Patch
- Avoid using Xen or KVM hypervisors on affected Qualcomm hardware
- Ensure systems use Qualcomm Hypervisor exclusively
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if cmd-db driver is loaded: 'uname -r' and 'lsmod | grep cmd_db'Check Version:
uname -rVerify Fix Applied:
Verify kernel version includes fix commits: 'git log --oneline | grep -E "(0ee9594c9743|62c2d63605ca|d9d48d70e922|eaff392c1e34|ef80520be0ff)"'📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages
- Secure interrupt errors in dmesg
- Hypervisor crash logs
Network Indicators:
- Sudden loss of connectivity from affected systems
SIEM Query:
source="kernel" AND ("cmd-db" OR "secure interrupt" OR "Trust Zone loop")🔗 References
- https://git.kernel.org/stable/c/0ee9594c974368a17e85a431e9fe1c14fb65c278
- https://git.kernel.org/stable/c/62c2d63605ca25b5db78a347ed303c0a0a77d5b4
- https://git.kernel.org/stable/c/d9d48d70e922b272875cda60d2ada89291c840cf
- https://git.kernel.org/stable/c/eaff392c1e34fb77cc61505a31b0191e5e46e271
- https://git.kernel.org/stable/c/ef80520be0ff78ae5ed44cb6eee1525e65bebe70
- https://git.kernel.org/stable/c/f5a5a5a0e95f36e2792d48e6e4b64e665eb01374
- https://git.kernel.org/stable/c/f9bb896eab221618927ae6a2f1d566567999839d
- https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
