7.8
HIGH
CVE-2024-46740
"Binder Use-After-Free Vulnerability"
Description

In the Linux kernel, the following vulnerability has been resolved: binder: fix UAF caused by offsets overwrite Binder objects are processed and copied individually into the target buffer during transactions. Any raw data in-between these objects is copied as well. However, this raw data copy lacks an out-of-bounds check. If the raw data exceeds the data section size then the copy overwrites the offsets section. This eventually triggers an error that attempts to unwind the processed objects. However, at this point the offsets used to index these objects are now corrupted. Unwinding with corrupted offsets can result in decrements of arbitrary nodes and lead to their premature release. Other users of such nodes are left with a dangling pointer triggering a use-after-free. This issue is made evident by the following KASAN report (trimmed): ================================================================== BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c Write of size 4 at addr ffff47fc91598f04 by task binder-util/743 CPU: 9 UID: 0 PID: 743 Comm: binder-util Not tainted 6.11.0-rc4 #1 Hardware name: linux,dummy-virt (DT) Call trace: _raw_spin_lock+0xe4/0x19c binder_free_buf+0x128/0x434 binder_thread_write+0x8a4/0x3260 binder_ioctl+0x18f0/0x258c [...] Allocated by task 743: __kmalloc_cache_noprof+0x110/0x270 binder_new_node+0x50/0x700 binder_transaction+0x413c/0x6da8 binder_thread_write+0x978/0x3260 binder_ioctl+0x18f0/0x258c [...] Freed by task 745: kfree+0xbc/0x208 binder_thread_read+0x1c5c/0x37d4 binder_ioctl+0x16d8/0x258c [...] ================================================================== To avoid this issue, let's check that the raw data copy is within the boundaries of the data section.

INFO

Published Date :

Sept. 18, 2024, 8:15 a.m.

Last Modified :

Feb. 18, 2025, 4:15 p.m.

Source :

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Remotely Exploitable :

No

Impact Score :

5.9

Exploitability Score :

1.8
Public PoC/Exploit Available at Github

CVE-2024-46740 has a 1 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

Affected Products

The following products are affected by CVE-2024-46740 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Linux linux_kernel
: Total Affected Vendor : 1 | Products : 1
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2024-46740.

URL Resource
https://git.kernel.org/stable/c/109e845c1184c9f786d41516348ba3efd9112792 Patch
https://git.kernel.org/stable/c/1f33d9f1d9ac3f0129f8508925000900c2fe5bb0 Patch
https://git.kernel.org/stable/c/3a8154bb4ab4a01390a3abf1e6afac296e037da4 Patch
https://git.kernel.org/stable/c/4df153652cc46545722879415937582028c18af5 Patch
https://git.kernel.org/stable/c/4f79e0b80dc69bd5eaaed70f0df1b558728b4e59 Patch
https://git.kernel.org/stable/c/5a32bfd23022ffa7e152f273fa3fa29befb7d929 Patch
https://git.kernel.org/stable/c/eef79854a04feac5b861f94d7b19cbbe79874117 Patch

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Profile Photo
xairy/linux-kernel-exploitation

A collection of links related to Linux kernel security and exploitation

linux-kernel kernel-exploitation exploit privilege-escalation security

Updated: 3 days, 18 hours ago
5908 stars 939 fork 939 watcher
Born at : Nov. 13, 2016, 10:21 p.m. This repo has been linked 280 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2024-46740 vulnerability anywhere in the article.

The following table lists the changes that have been made to the CVE-2024-46740 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Feb. 18, 2025

    Action Type Old Value New Value
    Added CVSS V3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    Added CWE CWE-416
  • Initial Analysis by [email protected]

    Sep. 20, 2024

    Action Type Old Value New Value
    Added CVSS V3.1 NIST AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    Changed Reference Type https://git.kernel.org/stable/c/109e845c1184c9f786d41516348ba3efd9112792 No Types Assigned https://git.kernel.org/stable/c/109e845c1184c9f786d41516348ba3efd9112792 Patch
    Changed Reference Type https://git.kernel.org/stable/c/1f33d9f1d9ac3f0129f8508925000900c2fe5bb0 No Types Assigned https://git.kernel.org/stable/c/1f33d9f1d9ac3f0129f8508925000900c2fe5bb0 Patch
    Changed Reference Type https://git.kernel.org/stable/c/3a8154bb4ab4a01390a3abf1e6afac296e037da4 No Types Assigned https://git.kernel.org/stable/c/3a8154bb4ab4a01390a3abf1e6afac296e037da4 Patch
    Changed Reference Type https://git.kernel.org/stable/c/4df153652cc46545722879415937582028c18af5 No Types Assigned https://git.kernel.org/stable/c/4df153652cc46545722879415937582028c18af5 Patch
    Changed Reference Type https://git.kernel.org/stable/c/4f79e0b80dc69bd5eaaed70f0df1b558728b4e59 No Types Assigned https://git.kernel.org/stable/c/4f79e0b80dc69bd5eaaed70f0df1b558728b4e59 Patch
    Changed Reference Type https://git.kernel.org/stable/c/5a32bfd23022ffa7e152f273fa3fa29befb7d929 No Types Assigned https://git.kernel.org/stable/c/5a32bfd23022ffa7e152f273fa3fa29befb7d929 Patch
    Changed Reference Type https://git.kernel.org/stable/c/eef79854a04feac5b861f94d7b19cbbe79874117 No Types Assigned https://git.kernel.org/stable/c/eef79854a04feac5b861f94d7b19cbbe79874117 Patch
    Added CWE NIST CWE-416
    Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.4.226 up to (excluding) 5.4.284 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.10.157 up to (excluding) 5.10.226 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.15.17 up to (excluding) 5.15.167 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.17 up to (excluding) 6.1.110 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.2 up to (excluding) 6.6.51 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.7 up to (excluding) 6.10.10 *cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.11:rc5:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.11:rc6:*:*:*:*:*:*
  • CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Sep. 18, 2024

    Action Type Old Value New Value
    Added Description In the Linux kernel, the following vulnerability has been resolved: binder: fix UAF caused by offsets overwrite Binder objects are processed and copied individually into the target buffer during transactions. Any raw data in-between these objects is copied as well. However, this raw data copy lacks an out-of-bounds check. If the raw data exceeds the data section size then the copy overwrites the offsets section. This eventually triggers an error that attempts to unwind the processed objects. However, at this point the offsets used to index these objects are now corrupted. Unwinding with corrupted offsets can result in decrements of arbitrary nodes and lead to their premature release. Other users of such nodes are left with a dangling pointer triggering a use-after-free. This issue is made evident by the following KASAN report (trimmed): ================================================================== BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c Write of size 4 at addr ffff47fc91598f04 by task binder-util/743 CPU: 9 UID: 0 PID: 743 Comm: binder-util Not tainted 6.11.0-rc4 #1 Hardware name: linux,dummy-virt (DT) Call trace: _raw_spin_lock+0xe4/0x19c binder_free_buf+0x128/0x434 binder_thread_write+0x8a4/0x3260 binder_ioctl+0x18f0/0x258c [...] Allocated by task 743: __kmalloc_cache_noprof+0x110/0x270 binder_new_node+0x50/0x700 binder_transaction+0x413c/0x6da8 binder_thread_write+0x978/0x3260 binder_ioctl+0x18f0/0x258c [...] Freed by task 745: kfree+0xbc/0x208 binder_thread_read+0x1c5c/0x37d4 binder_ioctl+0x16d8/0x258c [...] ================================================================== To avoid this issue, let's check that the raw data copy is within the boundaries of the data section.
    Added Reference kernel.org https://git.kernel.org/stable/c/5a32bfd23022ffa7e152f273fa3fa29befb7d929 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/3a8154bb4ab4a01390a3abf1e6afac296e037da4 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/eef79854a04feac5b861f94d7b19cbbe79874117 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/4f79e0b80dc69bd5eaaed70f0df1b558728b4e59 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/1f33d9f1d9ac3f0129f8508925000900c2fe5bb0 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/109e845c1184c9f786d41516348ba3efd9112792 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/4df153652cc46545722879415937582028c18af5 [No types assigned]
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2024-46740 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2024-46740 weaknesses.

CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
:
© cvefeed.io
Latest DB Update: Apr. 30, 2025 18:37