CVE-2024-56775 Overview
CVE-2024-56775 is a Linux kernel vulnerability in the AMD Display driver (drm/amd/display). The flaw resides in the backup and restore mechanism for plane states, which fails to maintain proper reference counts. When the plane refcount changes between backup and restore operations, the kernel can experience memory leaks [CWE-401] or double-free conditions [CWE-415] leading to invalid memory access. A local authenticated attacker can exploit the condition to corrupt kernel memory or trigger denial of service. The issue affects Linux kernel builds shipping the AMD GPU display driver and has been resolved upstream by caching and re-applying the current refcount during plane state restoration.
Critical Impact
Local privilege escalation and kernel memory corruption are possible through double-free or use-after-free conditions in the AMD display driver's plane state handling.
Affected Products
- Linux Kernel (mainline, prior to fix commit 27227a234c14)
- Linux Kernel stable branches receiving backport 8cb2f6793845
- Distributions shipping AMD GPU (amdgpu) display driver builds
Discovery Timeline
- 2025-01-08 - CVE CVE-2024-56775 published to NVD
- 2025-10-01 - Last updated in NVD database
Technical Details for CVE-2024-56775
Vulnerability Analysis
The vulnerability exists in the AMD Display Core (DC) component of the Linux kernel's Direct Rendering Manager (DRM) subsystem. The driver maintains a mechanism to backup plane states and restore them later during display configuration changes. This backup/restore routine copies plane state structures without preserving their kref reference counts.
When the kernel restores a backed-up plane state, the stored refcount overwrites whatever value existed at restore time. If the refcount increased between backup and restore, the lower stored value causes premature object release, leading to a double free [CWE-415] or use-after-free condition. If the refcount decreased, the stored higher value prevents object cleanup, producing a memory leak [CWE-401].
The issue is locally exploitable by an attacker with low privileges who can trigger display state operations. Successful exploitation impacts confidentiality, integrity, and availability of the system.
Root Cause
The backup and restore logic for dc_plane_state objects did not preserve the embedded reference counter. State copies treated plane structures as plain data, ignoring lifetime management. The fix caches the current refcount before restore and re-applies it after the structure copy completes.
Attack Vector
An unprivileged local user invokes DRM ioctls or KMS (Kernel Mode Setting) operations that trigger plane state backup/restore sequences on systems using the amdgpu driver. By racing or sequencing operations that alter the plane refcount during the window between backup and restore, the attacker forces an inconsistent refcount state. The resulting double free or use-after-free can be shaped into kernel memory corruption suitable for privilege escalation.
No public proof-of-concept exploit is available. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Refer to the upstream patches for technical detail: Kernel commit 27227a234c14 and stable backport 8cb2f6793845.
Detection Methods for CVE-2024-56775
Indicators of Compromise
- Kernel KASAN or SLUB warnings referencing dc_plane_state, amdgpu_dm, or related DRM symbols in dmesg and /var/log/kern.log.
- Unexpected GPU driver crashes, display freezes, or oops messages mentioning drm/amd/display after userspace KMS activity.
- Gradual kernel memory growth attributable to amdgpu slab caches without matching workload changes.
Detection Strategies
- Audit installed kernel package versions against vendor advisories to identify hosts lacking the fix commits 27227a234c14 or 8cb2f6793845.
- Enable kernel debugging features such as KASAN, KFENCE, and SLUB_DEBUG on test systems to surface refcount-related corruption during display workloads.
- Correlate process activity invoking DRM ioctls with subsequent kernel error messages to identify abnormal exploitation attempts.
Monitoring Recommendations
- Forward kernel logs to a centralized SIEM and alert on AMD display driver oops, BUG, or KASAN entries.
- Track running kernel versions across the fleet and flag systems still on vulnerable builds.
- Monitor for repeated GPU resets or display subsystem restarts from non-administrative user sessions.
How to Mitigate CVE-2024-56775
Immediate Actions Required
- Apply the latest stable kernel updates from your Linux distribution that include commits 27227a234c14 and 8cb2f6793845.
- Inventory all systems running AMD GPUs with the amdgpu driver and prioritize patching multi-user hosts.
- Restrict local shell access to trusted users on systems that cannot be patched immediately.
Patch Information
The upstream fix caches the current kref value of the plane state before restore and re-applies it after the copy. Patches are available at kernel.org commit 27227a234c14 and the stable backport at kernel.org commit 8cb2f6793845. Update to a distribution-supplied kernel that incorporates these commits and reboot to load the fixed driver.
Workarounds
- Where patching is delayed, limit interactive logins and disable graphical sessions on shared hosts that do not require them.
- Blacklist or unload the amdgpu module on servers that do not need AMD display functionality using modprobe -r amdgpu and a persistent blacklist entry.
- Apply SELinux or AppArmor profiles that restrict unprivileged access to /dev/dri/* device nodes.
# Verify running kernel version and check for AMD display driver use
uname -r
lsmod | grep amdgpu
# Disable amdgpu on systems that do not require it (requires reboot)
echo "blacklist amdgpu" | sudo tee /etc/modprobe.d/blacklist-amdgpu.conf
sudo update-initramfs -u
# Restrict DRM device access to the video group only
sudo chmod 0660 /dev/dri/card*
sudo chown root:video /dev/dri/card*
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
