CVE Radar Logo
CVERadar
CVE Radar Logo
CVERadar

CVE-2024-46859

Critical Severity
Linux
SVRS
70/100
CVSSv3
7.8/10
EPSS
0.00033/1

CVE-2024-46859: Fixes out-of-bounds access issues in the Linux kernel's Panasonic laptop driver. This vulnerability, stemming from insufficient bounds checking in the SINF array handling, can lead to system instability. While the CVSS score is 7.8, the SOCRadar Vulnerability Risk Score (SVRS) is 70, indicating a significant risk. The vulnerability can occur because the driver attempts to access elements beyond the allocated size of the SINF array, especially on older models like the Toughbook CF-18. The patch ensures that the driver checks the SINF array size before accessing its elements, preventing out-of-bounds reads and writes. The fix validates that the array has enough entries for brightness settings and mutes, and hides sysfs attributes if not supported, avoiding out-of-bounds accesses in show(), store(), probe(), and resume() functions. Although the CVSS may seem moderate, the SVRS highlights an elevated threat due to potential exploitation and the CWE-129 classification.

TAGS
In The Wild
VECTOR STRING
CVSS:3.1
AV:L
AC:L
PR:L
UI:N
S:U
C:H
I:H
A:H
PUBLICATION DATE2024-09-27
LAST MODIFIED2024-10-17
Eye Icon
SOCRadar
AI Insight

Description:

CVE-2024-46859 is a vulnerability in the Linux kernel that could allow an attacker to cause a denial of service (DoS) or execute arbitrary code on a vulnerable system. The vulnerability exists in the panasonic laptop code, which uses the SINF array with index values of 0 - SINF_CUR_BRIGHT(0x0d) without checking that the SINF array is big enough. This could allow an attacker to access the SINF array out of bounds, which could lead to a DoS or arbitrary code execution.

Key Insights:

  • The CVSS score for this vulnerability is 0, which indicates that it is a low-severity vulnerability. However, the SVRS score of 34 indicates that this vulnerability is still a moderate risk to organizations.
  • This vulnerability could be exploited by an attacker to cause a DoS or execute arbitrary code on a vulnerable system.
  • There are no known active exploits for this vulnerability at this time.

Mitigation Strategies:

  • Update to the latest version of the Linux kernel.
  • Disable the panasonic laptop code if it is not needed.
  • Restrict access to the vulnerable system from untrusted networks.

Additional Information:

  • The Cybersecurity and Infrastructure Security Agency (CISA) has not issued a warning for this vulnerability.
  • This vulnerability is not known to be used in the wild at this time.

If users have additional queries regarding this incident, they can use the 'Ask to Analyst' feature, contact SOCRadar directly, or open a support ticket for more information if necessary.

Indicators of Compromise

No IOCs found for this CVE

Exploits

No exploits found for this CVE

Enhance Your CVE Management with SOCRadar Vulnerability Intelligence
Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.
CREATE FREE ACCOUNT
CVE Details
Access comprehensive CVE information instantly
Real-time Tracking
Subscribe to CVEs and get instant updates
Exploit Analysis
Monitor related APT groups and threats
IOC Tracking
Analyze and track CVE-related IOCs

News

USN-7166-4: Linux kernel (Xilinx ZynqMP) vulnerabilities
2025-01-20
USN-7166-4: Linux kernel (Xilinx ZynqMP) vulnerabilities | Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - ARM32 architecture; - RISC-V architecture; - S390 architecture; - x86 architecture; - Block layer subsystem; - ACPI drivers; - Drivers core; - ATA over ethernet (AOE) driver; - TPM device driver; - Clock framework and drivers; - Buffer Sharing and Synchronization framework; - EFI core; - GPIO subsystem; - GPU drivers; - HID subsystem; - I2C subsystem; - InfiniBand drivers; - Input Device core drivers; - Mailbox framework; - Media drivers; - Ethernet bonding driver; - Network drivers; - Mellanox network drivers; - Microsoft Azure Network Adapter
ubuntu.com
rss
forum
news
USN-7186-2: Linux kernel vulnerabilities
2025-01-09
USN-7186-2: Linux kernel vulnerabilities | Andy Nguyen discovered that the Bluetooth L2CAP implementation in the Linux kernel contained a type-confusion error. A physically proximate remote attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2020-12351) Andy Nguyen discovered that the Bluetooth A2MP implementation in the Linux kernel did not properly initialize memory in some situations. A physically proximate remote attacker could use this to expose sensitive information (kernel memory). (CVE-2020-12352) Andy Nguyen discovered that the Bluetooth HCI event packet parser in the Linux kernel did not
ubuntu.com
rss
forum
news
USN-7194-1: Linux kernel (Azure) vulnerabilities
2025-01-09
USN-7194-1: Linux kernel (Azure) vulnerabilities | Andy Nguyen discovered that the Bluetooth L2CAP implementation in the Linux kernel contained a type-confusion error. A physically proximate remote attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2020-12351) Andy Nguyen discovered that the Bluetooth A2MP implementation in the Linux kernel did not properly initialize memory in some situations. A physically proximate remote attacker could use this to expose sensitive information (kernel memory). (CVE-2020-12352) Andy Nguyen discovered that the Bluetooth HCI event packet parser in the Linux kernel did
ubuntu.com
rss
forum
news
USN-7186-1: Linux kernel (Intel IoTG) vulnerabilities
2025-01-06
USN-7186-1: Linux kernel (Intel IoTG) vulnerabilities | Andy Nguyen discovered that the Bluetooth L2CAP implementation in the Linux kernel contained a type-confusion error. A physically proximate remote attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2020-12351) Andy Nguyen discovered that the Bluetooth A2MP implementation in the Linux kernel did not properly initialize memory in some situations. A physically proximate remote attacker could use this to expose sensitive information (kernel memory). (CVE-2020-12352) Andy Nguyen discovered that the Bluetooth HCI event packet parser in the Linux kernel
ubuntu.com
rss
forum
news
USN-7154-2: Linux kernel (HWE) vulnerabilities
2025-01-06
USN-7154-2: Linux kernel (HWE) vulnerabilities | Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - ARM64 architecture; - MIPS architecture; - PowerPC architecture; - RISC-V architecture; - S390 architecture; - User-Mode Linux (UML); - x86 architecture; - Block layer subsystem; - Android drivers; - ATM drivers; - Drivers core; - Ublk userspace block driver; - Bluetooth drivers; - Character device driver; - Hardware crypto device drivers; - Buffer Sharing and Synchronization framework; - DMA engine subsystem; - Qualcomm firmware drivers; - GPIO subsystem; - GPU drivers; - HID subsystem; - Hardware monitoring drivers; - I2C subsystem; - I3C subsystem; - IIO subsystem; - InfiniBand
ubuntu.com
rss
forum
news
USN-7166-3: Linux kernel (HWE) vulnerabilities
2024-12-20
USN-7166-3: Linux kernel (HWE) vulnerabilities | Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - ARM32 architecture; - RISC-V architecture; - S390 architecture; - x86 architecture; - Block layer subsystem; - ACPI drivers; - Drivers core; - ATA over ethernet (AOE) driver; - TPM device driver; - Clock framework and drivers; - Buffer Sharing and Synchronization framework; - EFI core; - GPIO subsystem; - GPU drivers; - HID subsystem; - I2C subsystem; - InfiniBand drivers; - Input Device core drivers; - Mailbox framework; - Media drivers; - Ethernet bonding driver; - Network drivers; - Mellanox network drivers; - Microsoft Azure Network Adapter (MANA
ubuntu.com
rss
forum
news
USN-7166-2: Linux kernel (AWS) vulnerabilities
2024-12-17
USN-7166-2: Linux kernel (AWS) vulnerabilities | Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - ARM32 architecture; - RISC-V architecture; - S390 architecture; - x86 architecture; - Block layer subsystem; - ACPI drivers; - Drivers core; - ATA over ethernet (AOE) driver; - TPM device driver; - Clock framework and drivers; - Buffer Sharing and Synchronization framework; - EFI core; - GPIO subsystem; - GPU drivers; - HID subsystem; - I2C subsystem; - InfiniBand drivers; - Input Device core drivers; - Mailbox framework; - Media drivers; - Ethernet bonding driver; - Network drivers; - Mellanox network drivers; - Microsoft Azure Network Adapter (MANA
cve-2024-49985
cve-2024-49902
cve-2024-49856
cve-2024-49962

Social Media

CVE-2024-46859 Fix for Out of Bounds SINF Array in Panasonic Laptops In the Linux kernel, a vulnerability in the Panasonic laptop code has been fixed. This issue was with the SINF array in the platform/x86: panas... https://t.co/jxtRrdQU3C
0
0
0

Affected Software

Configuration 1
TypeVendorProduct
OSLinuxlinux_kernel

References

ReferenceLink
416BAAA9-DC9F-4396-8D5F-8C081FB06D67https://git.kernel.org/stable/c/6821a82616f60aa72c5909b3e252ad97fb9f7e2a
416BAAA9-DC9F-4396-8D5F-8C081FB06D67https://git.kernel.org/stable/c/9291fadbd2720a869b1d2fcf82305648e2e62a16
416BAAA9-DC9F-4396-8D5F-8C081FB06D67https://git.kernel.org/stable/c/b38c19783286a71693c2194ed1b36665168c09c4
416BAAA9-DC9F-4396-8D5F-8C081FB06D67https://git.kernel.org/stable/c/f52e98d16e9bd7dd2b3aef8e38db5cbc9899d6a4
416BAAA9-DC9F-4396-8D5F-8C081FB06D67https://git.kernel.org/stable/c/6821a82616f60aa72c5909b3e252ad97fb9f7e2a
416BAAA9-DC9F-4396-8D5F-8C081FB06D67https://git.kernel.org/stable/c/9291fadbd2720a869b1d2fcf82305648e2e62a16
416BAAA9-DC9F-4396-8D5F-8C081FB06D67https://git.kernel.org/stable/c/b38c19783286a71693c2194ed1b36665168c09c4
416BAAA9-DC9F-4396-8D5F-8C081FB06D67https://git.kernel.org/stable/c/b7c2f692307fe704be87ea80d7328782b33c3cef
416BAAA9-DC9F-4396-8D5F-8C081FB06D67https://git.kernel.org/stable/c/f52e98d16e9bd7dd2b3aef8e38db5cbc9899d6a4

CWE Details

CWE IDCWE NameDescription
CWE-129Improper Validation of Array IndexThe product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence