CVE-2024-46794 in Linux
Summary
by MITRE • 09/18/2024
In the Linux kernel, the following vulnerability has been resolved:
x86/tdx: Fix data leak in mmio_read()
The mmio_read() function makes a TDVMCALL to retrieve MMIO data for an address from the VMM.
Sean noticed that mmio_read() unintentionally exposes the value of an initialized variable (val) on the stack to the VMM.
This variable is only needed as an output value. It did not need to be passed to the VMM in the first place.
Do not send the original value of *val to the VMM.
[ dhansen: clarify what 'val' is used for. ]
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/06/2026
The vulnerability identified as CVE-2024-46794 represents a critical information disclosure flaw within the Linux kernel's x86 Trust Domain Extensions (TDX) implementation. This issue specifically affects the mmio_read() function which handles memory-mapped I/O operations between guest virtual machines and the VMM (Virtual Machine Monitor) in TDX environments. The vulnerability arises from improper handling of stack variables during TDVMCALL operations, creating an unintended data leak that exposes sensitive information to the VMM.
The technical flaw occurs within the mmio_read() function where the variable 'val' is initialized on the stack but inadvertently retains its original value when passed to the VMM through the TDVMCALL interface. This variable serves purely as an output parameter for the function's operation, yet the implementation fails to properly isolate it from the VMM's access. The vulnerability stems from the function's design where it sends the uninitialized stack contents to the VMM rather than only transmitting the actual MMIO data requested. This creates a scenario where the VMM can potentially access and extract information from the stack memory, including potentially sensitive data that was not intended for exposure.
The operational impact of this vulnerability is significant within TDX environments where the VMM has elevated privileges and access to guest memory operations. Attackers with malicious intent could potentially exploit this information leak to gain insights into the memory layout of guest operating systems, potentially leading to further exploitation techniques. The vulnerability affects systems utilizing Intel's TDX technology for confidential computing, where the security model relies on the isolation between guest VMs and the VMM. This information disclosure could enable adversaries to perform advanced persistent attacks, bypass security controls, or gather intelligence for more sophisticated exploitation attempts.
Mitigation strategies for CVE-2024-46794 focus on modifying the mmio_read() function implementation to ensure that stack variables are properly managed and that only the necessary data is transmitted to the VMM. The fix involves updating the function to avoid sending the original value of *val to the VMM, ensuring that only the actual MMIO data is passed through the TDVMCALL interface. This aligns with security best practices for confidential computing environments and follows the principle of least privilege. Organizations should update their Linux kernel implementations to include the patched version that addresses this specific information leak, and security teams should monitor for any potential exploitation attempts in their TDX-enabled environments. The vulnerability demonstrates the importance of careful stack variable management in hypervisor code and highlights the need for comprehensive security reviews of kernel functions that interface with virtualization technologies. This issue relates to CWE-200, Information Exposure, and could be categorized under ATT&CK technique T1552, Unsecured Credentials, when considering the potential for credential or sensitive data extraction through memory access patterns.