CVE-2024-49924
📋 TL;DR
This is a use-after-free vulnerability in the Linux kernel's PXA framebuffer driver that could allow local privilege escalation. The vulnerability occurs when the driver module is removed while scheduled work is still pending, potentially leading to kernel memory corruption. Only systems using the affected PXA framebuffer driver and where root users can remove kernel modules at runtime are affected.
💻 Affected Systems
- Linux kernel with PXA framebuffer driver (pxafb)
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Local privilege escalation leading to full system compromise, kernel panic, or system instability.
Likely Case
Kernel crash or system instability when the driver module is removed while work is scheduled.
If Mitigated
No impact if the driver module is not removed at runtime or if proper patching is applied.
🎯 Exploit Status
Exploitation requires root access to trigger the module removal, making it a local privilege escalation vector rather than remote.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in kernel commits: 3c0d416eb4bef705f699213cee94bf54b6acdacd, 4a6921095eb04a900e0000da83d9475eb958e61e, 4cda484e584be34d55ee17436ebf7ad11922b97a, 6d0a07f68b66269e167def6c0b90a219cd3e7473, a3a855764dbacbdb1cc51e15dc588f2d21c93e0e
Vendor Advisory: https://git.kernel.org/stable/c/3c0d416eb4bef705f699213cee94bf54b6acdacd
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. Check with your distribution vendor for specific patched kernel versions. 3. Reboot system after kernel update.
🔧 Temporary Workarounds
Prevent module removal
linuxRestrict root users from removing the pxafb kernel module at runtime.
echo 'install pxafb /bin/false' >> /etc/modprobe.d/pxafb.conf
rmmod pxafb
Disable module loading
linuxPrevent the pxafb module from being loaded if not required.
echo 'blacklist pxafb' >> /etc/modprobe.d/blacklist.conf
🧯 If You Can't Patch
- Restrict root access to prevent module removal
- Monitor for kernel module removal activities and system crashes
🔍 How to Verify
Check if Vulnerable:
Check if pxafb module is loaded: lsmod | grep pxafb. Check kernel version: uname -r and compare with patched versions from your distribution.Check Version:
uname -rVerify Fix Applied:
Verify kernel version is updated to patched version and check that pxafb module is not loaded or is from patched kernel.📡 Detection & Monitoring
Log Indicators:
- Kernel panic logs
- System crash dumps
- Module removal logs in syslog/kern.log
Network Indicators:
- None - this is a local vulnerability
SIEM Query:
Search for: 'rmmod pxafb' or kernel panic/crash events on systems with pxafb module🔗 References
- https://git.kernel.org/stable/c/3c0d416eb4bef705f699213cee94bf54b6acdacd
- https://git.kernel.org/stable/c/4a6921095eb04a900e0000da83d9475eb958e61e
- https://git.kernel.org/stable/c/4cda484e584be34d55ee17436ebf7ad11922b97a
- https://git.kernel.org/stable/c/6d0a07f68b66269e167def6c0b90a219cd3e7473
- https://git.kernel.org/stable/c/a3a855764dbacbdb1cc51e15dc588f2d21c93e0e
- https://git.kernel.org/stable/c/aaadc0cb05c999ccd8898a03298b7e5c31509b08
- https://git.kernel.org/stable/c/e657fa2df4429f3805a9b3e47fb1a4a1b02a72bd
- https://git.kernel.org/stable/c/e6897e299f57b103e999e62010b88e363b3eebae
- https://git.kernel.org/stable/c/fdda354f60a576d52dcf90351254714681df4370
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
