CVE-2024-49862
📋 TL;DR
This CVE-2024-49862 is an off-by-one buffer access vulnerability in the Linux kernel's Intel RAPL (Running Average Power Limit) power capping subsystem. It allows local attackers to read kernel memory beyond the intended buffer boundaries, potentially exposing sensitive information. Systems running vulnerable Linux kernel versions with Intel processors supporting RAPL are affected.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel memory disclosure leading to privilege escalation if combined with other vulnerabilities, or system crash/instability from accessing invalid memory regions.
Likely Case
Information disclosure of kernel memory contents, potentially revealing sensitive data or memory addresses that could aid further attacks.
If Mitigated
Limited impact with proper access controls preventing local user access, though still a kernel information leak vulnerability.
🎯 Exploit Status
Requires local access and ability to interact with the RAPL subsystem. Exploitation would involve triggering the off-by-one condition to read kernel memory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patched in stable kernel commits: 288cbc505e2046638c615c36357cb78bc9fee1e0, 6a34f3b0d7f11fb6ed72da315fd2360abd9c0737, 851e7f7f14a15f4e47b7d0f70d5c4a2b95b824d6, 95f6580352a7225e619551febb83595bcb77ab17
Vendor Advisory: https://git.kernel.org/stable/c/288cbc505e2046638c615c36357cb78bc9fee1e0
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution's repositories. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.
🔧 Temporary Workarounds
Disable intel_rapl module
linuxPrevent loading of the vulnerable intel_rapl kernel module
echo 'blacklist intel_rapl' >> /etc/modprobe.d/blacklist-intel_rapl.conf
update-initramfs -u
reboot
🧯 If You Can't Patch
- Restrict local user access to systems with vulnerable kernels
- Implement strict privilege separation and limit user capabilities
🔍 How to Verify
Check if Vulnerable:
Check if intel_rapl module is loaded: lsmod | grep intel_rapl. Check kernel version against patched versions.Check Version:
uname -rVerify Fix Applied:
Verify kernel version is updated to include the fix commits, and intel_rapl module loads without errors.📡 Detection & Monitoring
Log Indicators:
- Kernel oops messages
- System crash logs related to intel_rapl
- Unexpected kernel memory access errors
Network Indicators:
- None - local vulnerability only
SIEM Query:
Search for kernel panic logs or module loading errors containing 'intel_rapl'