CVE-2024-46743 Overview
CVE-2024-46743 is an out-of-bounds read vulnerability in the Linux kernel's Open Firmware (OF) interrupt handling subsystem. The vulnerability exists in the of_irq_parse_raw() function, which can be exploited when the function is invoked with a device address smaller than the interrupt parent node's #address-cells property. This size mismatch causes KASAN (Kernel Address Sanitizer) to detect an out-of-bounds memory read when populating the initial match table during interrupt map walk operations.
Critical Impact
Local attackers with low privileges can exploit this vulnerability to read sensitive kernel memory or cause system instability, potentially leading to information disclosure or denial of service conditions on affected Linux systems.
Affected Products
- Linux Kernel (multiple versions)
- Linux Kernel 6.11-rc1, 6.11-rc2, 6.11-rc3
- Debian Linux (see LTS announcements)
Discovery Timeline
- September 18, 2024 - CVE-2024-46743 published to NVD
- November 3, 2025 - Last updated in NVD database
Technical Details for CVE-2024-46743
Vulnerability Analysis
This vulnerability is classified as CWE-125 (Out-of-bounds Read) and affects the kernel's device tree interrupt parsing mechanism. The flaw occurs during interrupt map walking operations when the of_irq_parse_raw() function processes device addresses that are smaller than the address size specified by the interrupt parent node's #address-cells property.
When parsing interrupt specifications for devices in the device tree, the kernel attempts to read device address data based on the parent node's expected address size. If the device's actual address is smaller than this expected size, the function reads beyond the allocated memory boundaries, accessing potentially sensitive data from adjacent kernel memory regions.
The vulnerability was detected through KASAN instrumentation, which identified a 4-byte out-of-bounds read in the kmalloc-128 slab cache. The buggy read occurs at an offset of 8 bytes inside a 128-byte memory region during the interrupt parsing process.
Root Cause
The root cause of this vulnerability lies in insufficient bounds checking when copying device address data into the match table during interrupt map traversal. The of_irq_parse_raw() function assumes that the device address buffer is at least as large as the #address-cells property of the interrupt parent node, but this assumption is not validated before memory access operations occur.
When device tree overlays are applied or platform devices are created, the interrupt parsing code may encounter device nodes with address sizes that differ from their parent interrupt controller's expectations. Without proper validation, the code reads past the end of the device's address buffer, triggering the out-of-bounds access.
Attack Vector
The vulnerability requires local access to the system and can be triggered through device tree manipulation or during normal device initialization sequences. The attack involves creating or modifying device tree entries where a device's address cell count is smaller than its interrupt parent's #address-cells property.
The exploitation path follows these steps:
- An attacker with local access manipulates device tree configurations or triggers device tree overlay application
- The kernel's of_platform_device_create_pdata() function initiates device creation
- The interrupt parsing functions of_irq_parse_one() and of_irq_parse_raw() are called
- Due to address size mismatch, out-of-bounds memory is read from the kernel slab cache
The KASAN debug output shows the call trace originating from device_add() through of_device_add(), of_platform_device_create_pdata(), and ultimately reaching the vulnerable of_irq_parse_raw() function where the 4-byte out-of-bounds read occurs.
Detection Methods for CVE-2024-46743
Indicators of Compromise
- KASAN error messages in kernel logs indicating slab-out-of-bounds reads in of_irq_parse_raw
- Kernel oops or warnings related to device tree interrupt parsing functions
- Unexpected system instability during device enumeration or device tree overlay application
Detection Strategies
- Enable KASAN (Kernel Address Sanitizer) in kernel builds to detect memory access violations
- Monitor kernel logs for BUG: KASAN: slab-out-of-bounds messages referencing of_irq_parse_raw
- Implement runtime kernel monitoring for anomalous memory access patterns in OF/irq subsystems
- Deploy endpoint detection solutions capable of monitoring kernel-level memory operations
Monitoring Recommendations
- Configure syslog forwarding to capture and analyze kernel warning messages
- Set up alerts for KASAN violation reports in centralized logging systems
- Monitor for unexpected device tree modifications or overlay applications
- Implement file integrity monitoring on device tree blob files and overlay directories
How to Mitigate CVE-2024-46743
Immediate Actions Required
- Update the Linux kernel to a patched version that includes the fix for CVE-2024-46743
- Review device tree configurations for potential address cell size mismatches
- Apply vendor-provided security patches from Linux distribution maintainers
- Consider disabling device tree overlay functionality if not required
Patch Information
The Linux kernel maintainers have released patches to address this vulnerability. The fix prevents the out-of-bounds read by copying the device address into a buffer of sufficient size before processing. Multiple stable kernel commits are available:
- Kernel Stable Commit defcaa4
- Kernel Stable Commit baaf267
- Kernel Stable Commit 9d1e9f0
- Kernel Stable Commit bf68acd
- Kernel Stable Commit b739dff
- Kernel Stable Commit d2a7949
- Kernel Stable Commit 7ead730
- Kernel Stable Commit 8ff351e
Debian users should refer to the Debian LTS Announcement October 2024 and Debian LTS Announcement January 2025 for distribution-specific updates.
Workarounds
- Restrict device tree overlay application permissions to trusted administrators only
- Disable dynamic device tree overlay support via kernel configuration if not required
- Enable KASAN in development environments to detect exploitation attempts
- Implement access controls to limit local user access to device tree interfaces
# Check current kernel version for vulnerability assessment
uname -r
# Verify available kernel updates
apt-get update && apt-cache policy linux-image-$(uname -r)
# Apply kernel updates (Debian/Ubuntu)
apt-get upgrade linux-image-$(uname -r)
# Reboot to apply the patched kernel
reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
