CVE-2024-46824
📋 TL;DR
A NULL pointer dereference vulnerability in the Linux kernel's iommufd subsystem allows local attackers to cause a kernel panic (denial of service) when attempting to invalidate IOMMU page table caches. This affects systems using iommufd with drivers that don't implement the required cache_invalidate_user operation. The vulnerability requires local access to the system.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Local denial of service causing kernel panic and system crash, potentially leading to data loss or service disruption.
Likely Case
Local denial of service through kernel panic when privileged users or processes trigger the invalidate ioctl on affected configurations.
If Mitigated
No impact if proper access controls prevent local users from executing the vulnerable ioctl or if affected drivers aren't used.
🎯 Exploit Status
Exploitation requires local access and ability to trigger the invalidate ioctl. The vulnerability was discovered during development/bisection.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patched in kernel commits 89827a4de802765b1ebb401fc1e73a90108c7520 and a11dda723c6493bb1853bbc61c093377f96e2d47
Vendor Advisory: https://git.kernel.org/stable/c/89827a4de802765b1ebb401fc1e73a90108c7520
Restart Required: Yes
Instructions:
1. Update to a kernel version containing the fix commits. 2. Reboot the system to load the new kernel. 3. Verify the fix is applied by checking kernel version.
🔧 Temporary Workarounds
Disable iommufd if not needed
linuxRemove or disable iommufd module if not required for system functionality
modprobe -r iommufd
echo 'blacklist iommufd' >> /etc/modprobe.d/blacklist.conf
Restrict access to ioctl
linuxUse security modules or access controls to restrict which users can execute the vulnerable ioctl
🧯 If You Can't Patch
- Ensure only trusted users have local access to affected systems
- Monitor for kernel panic events and investigate any unauthorized local access attempts
🔍 How to Verify
Check if Vulnerable:
Check if system is using an affected kernel version and has iommufd loaded: uname -r && lsmod | grep iommufdCheck Version:
uname -rVerify Fix Applied:
Verify kernel version includes the fix commits or is newer than affected versions📡 Detection & Monitoring
Log Indicators:
- Kernel panic logs mentioning 'iommufd_hwpt_invalidate' or NULL pointer dereference
- System crash/reboot events following ioctl operations
Network Indicators:
- No network indicators - local exploit only
SIEM Query:
event_type:kernel_panic AND message:"iommufd" OR "NULL pointer dereference"