CVE-2024-47742 Overview
CVE-2024-47742 is a path traversal vulnerability in the Linux kernel's firmware loader subsystem. The vulnerability exists because firmware filenames in certain code paths contain string components that are passed through from device descriptors or semi-privileged userspace without proper sanitization. This allows an attacker with local access to potentially traverse the filesystem and load arbitrary firmware files by including .. path components in firmware names.
Critical Impact
A local attacker with limited privileges could exploit this vulnerability to achieve high impact on confidentiality, integrity, and availability by manipulating firmware loading paths to access or execute unintended files.
Affected Products
- Linux Kernel (multiple versions)
- Systems using lpfc driver for Emulex Fibre Channel adapters
- Systems using nfp driver for Netronome network devices
Discovery Timeline
- October 21, 2024 - CVE-2024-47742 published to NVD
- November 3, 2025 - Last updated in NVD database
Technical Details for CVE-2024-47742
Vulnerability Analysis
The Linux kernel's firmware loader is responsible for loading firmware files from the filesystem into device drivers. While most firmware names are hardcoded strings or constructed from constrained format strings with only hex numbers, several code paths allow dynamic string components from untrusted sources to be incorporated into firmware filenames.
Three primary vulnerable code paths were identified:
lpfc_sli4_request_firmware_update() - Constructs firmware filenames from "ModelName" parsed from Vital Product Data (VPD) descriptors. This case is particularly dangerous because the %s placeholder is at the start of the format string, allowing directory traversal.
nfp_net_fw_find() - Constructs filenames from model names obtained via nfp_hwinfo_lookup(). This path is less exploitable because the format string netronome/nic_%s would require folders starting with netronome/nic_ to exist.
module_flash_fw_schedule() - Reachable via the ETHTOOL_MSG_MODULE_FW_FLASH_ACT netlink command. While marked as GENL_UNS_ADMIN_PERM (allowing CAP_NET_ADMIN in user namespaces), exploitation requires control over a network namespace with a special ethernet device mapped in.
Root Cause
The root cause is insufficient input validation in the firmware loader when handling firmware filenames that contain components derived from device descriptors or userspace input. The firmware_loader subsystem did not validate or sanitize the firmware name parameter to reject path traversal sequences like .., allowing attackers to escape the intended firmware directory.
Attack Vector
This vulnerability requires local access to the system. An attacker with limited privileges can exploit specific driver interfaces that accept firmware names constructed from device-provided data or through semi-privileged operations like those requiring only CAP_NET_ADMIN within a user namespace.
The attack involves:
- Controlling a device that provides malicious VPD data or model names containing .. sequences
- Triggering firmware loading operations through the vulnerable driver
- The firmware loader follows the path traversal, potentially loading attacker-controlled files
The fix implements validation in the firmware loader to reject any firmware names containing .. path components, blocking directory traversal attempts regardless of which driver initiated the request.
Detection Methods for CVE-2024-47742
Indicators of Compromise
- Suspicious firmware loading attempts with unusual paths containing .. sequences in kernel logs
- Firmware loading failures with error messages indicating rejected path components
- Unexpected firmware files being accessed outside standard firmware directories (/lib/firmware/, /usr/lib/firmware/)
- Kernel audit logs showing firmware requests with path traversal patterns
Detection Strategies
- Monitor kernel logs (dmesg, journalctl -k) for firmware loading events with malformed or suspicious filenames
- Implement file integrity monitoring on firmware directories to detect unauthorized access patterns
- Use audit rules to track firmware loading system calls and file access in firmware directories
- Deploy endpoint detection solutions capable of monitoring kernel-level file operations
Monitoring Recommendations
- Enable kernel auditing for firmware-related operations using auditctl
- Configure SentinelOne Singularity Platform to monitor for suspicious file access patterns in firmware directories
- Review device driver activity logs for lpfc and nfp drivers on systems with Emulex Fibre Channel or Netronome network adapters
- Implement centralized logging to correlate firmware loading events across multiple systems
How to Mitigate CVE-2024-47742
Immediate Actions Required
- Update the Linux kernel to a patched version as soon as patches are available for your distribution
- Review systems running lpfc or nfp drivers for signs of exploitation
- Restrict access to device interfaces that could be used to trigger firmware loading operations
- Limit user namespace creation and CAP_NET_ADMIN capabilities where possible using security frameworks like AppArmor or SELinux
Patch Information
The Linux kernel maintainers have released patches to address this vulnerability. The fix implements validation that rejects firmware names containing .. path components. Multiple commits have been applied to various kernel branches:
- Kernel Commit 28f1cd9
- Kernel Commit 3d2411f
- Kernel Commit 6c4e13f
- Kernel Commit 7420c1b
- Kernel Commit f0e5311
Debian has also released Long Term Support advisories addressing this vulnerability. See the Debian LTS Announcement January 2025 and Debian LTS Announcement March 2025 for distribution-specific guidance.
Workarounds
- Restrict physical access to systems with potentially exploitable device drivers
- Disable unused device drivers (lpfc, nfp) if not required for operations
- Use security modules (SELinux, AppArmor) to confine firmware loading to expected directories
- Limit user namespace creation and capabilities using kernel parameters or security policies
# Example: Restrict user namespace creation
echo 0 > /proc/sys/kernel/unprivileged_userns_clone
# Example: Add audit rule for firmware directory access
auditctl -w /lib/firmware/ -p war -k firmware_access
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
