CVE-2024-57979
📋 TL;DR
This CVE describes a use-after-free vulnerability in the Linux kernel's PPS (Pulse Per Second) subsystem. When unregistering a PPS device, the kernel frees memory that may still be accessed by previously opened character devices, potentially leading to kernel crashes or privilege escalation. Systems running affected Linux kernel versions with PPS devices (e.g., GPS receivers) are vulnerable.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash, potential privilege escalation to kernel mode, or arbitrary code execution in kernel context.
Likely Case
System instability, kernel crashes during device removal/reboot, denial of service affecting system availability.
If Mitigated
Minimal impact if PPS devices are not used or system is patched; isolated crashes in specific device removal scenarios.
🎯 Exploit Status
Exploitation requires local access and ability to trigger PPS device removal while devices are open. The bug was discovered during normal system operation (reboot with gpsd/ntpd running).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel with commits 1a7735ab2cb9747518a7416fb5929e85442dec62 or later
Vendor Advisory: https://git.kernel.org/stable/c/1a7735ab2cb9747518a7416fb5929e85442dec62
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution's repositories. 2. For custom kernels, apply the fix commit to your kernel source. 3. Rebuild and install the kernel. 4. Reboot the system to load the patched kernel.
🔧 Temporary Workarounds
Disable PPS subsystem
LinuxRemove or disable PPS device support if not needed
# Check if PPS is loaded: lsmod | grep pps
# Remove module: sudo rmmod pps_core
# Blacklist to prevent loading: echo 'blacklist pps_core' | sudo tee /etc/modprobe.d/blacklist-pps.conf
Stop PPS-using services
LinuxStop services like gpsd and ntpd that use PPS devices
sudo systemctl stop gpsd
sudo systemctl stop ntpd
# Consider disabling at boot: sudo systemctl disable gpsd ntpd
🧯 If You Can't Patch
- Avoid rebooting systems with PPS devices in use
- Ensure no processes have PPS devices open before device removal or system shutdown
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if PPS subsystem is loaded: uname -r && lsmod | grep -i ppsCheck Version:
uname -rVerify Fix Applied:
Verify kernel version is patched and test by rebooting with PPS devices active while monitoring kernel logs for the warning message📡 Detection & Monitoring
Log Indicators:
- Kernel logs showing 'kobject_put' warning with null kobject
- 'refcount_t: underflow; use-after-free' messages
- Kernel panic messages related to list_debug.c
Network Indicators:
- No network indicators - this is a local kernel vulnerability
SIEM Query:
source="kernel" AND ("kobject_put" OR "use-after-free" OR "pps" AND "panic")🔗 References
- https://git.kernel.org/stable/c/1a7735ab2cb9747518a7416fb5929e85442dec62
- https://git.kernel.org/stable/c/785c78ed0d39d1717cca3ef931d3e51337b5e90e
- https://git.kernel.org/stable/c/7e5ee3281dc09014367f5112b6d566ba36ea2d49
- https://git.kernel.org/stable/c/85241f7de216f8298f6e48540ea13d7dcd100870
- https://git.kernel.org/stable/c/91932db1d96b2952299ce30c1c693d834d10ace6
- https://git.kernel.org/stable/c/c4041b6b0a7a3def8cf3f3d6120ff337bc4c40f7
- https://git.kernel.org/stable/c/c79a39dc8d060b9e64e8b0fa9d245d44befeefbe
- https://git.kernel.org/stable/c/cd3bbcb6b3a7caa5ce67de76723b6d8531fb7f64
- https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html
- https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html
