CVE-2024-46821 in Linuxinfo

Summary

by MITRE • 09/27/2024

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/pm: Fix negative array index read

Avoid using the negative values for clk_idex as an index into an array pptable->DpmDescriptor.

V2: fix clk_index return check (Tim Huang)

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 04/04/2026

The vulnerability CVE-2024-46821 represents a critical array index out-of-bounds read condition within the AMD Radeon graphics driver component of the Linux kernel. This flaw exists in the power management subsystem specifically within the drm/amd/pm module where the kernel handles dynamic power management operations for AMD graphics hardware. The issue arises from improper validation of clock index values before using them as array indices, creating a potential pathway for unauthorized memory access patterns that could be exploited by malicious actors.

The technical root cause of this vulnerability stems from the improper handling of clk_idex values which are intended to serve as indices into the pptable->DpmDescriptor array structure. When negative values are returned from clk_index operations, these values are directly used without proper bounds checking or validation, resulting in negative array indexing. This condition violates fundamental memory safety principles and can lead to reading from arbitrary memory locations outside the intended array boundaries. The vulnerability is categorized under CWE-129 as an "Improper Validation of Array Index" and aligns with ATT&CK technique T1059.008 for Abuse of Command and Control Interface.

The operational impact of this vulnerability extends beyond simple memory corruption, potentially enabling attackers to execute arbitrary code with kernel privileges or cause system instability through controlled memory access violations. Attackers could exploit this weakness by manipulating the power management interface to trigger the negative indexing condition, potentially leading to privilege escalation or denial of service scenarios. The vulnerability affects systems running Linux kernels with AMD Radeon graphics hardware that utilize the drm/amd/pm power management framework, making it particularly relevant for servers, workstations, and embedded systems with AMD graphics capabilities.

Mitigation strategies for CVE-2024-46821 should prioritize applying the official kernel patches that implement proper validation of clk_index return values before array access. System administrators should ensure all AMD graphics systems are updated with the latest kernel releases containing the fix, which specifically addresses the clk_index return check as noted in the V2 fix. Additional protective measures include monitoring for unusual power management activity patterns and implementing kernel module integrity checks. The fix demonstrates proper defensive programming practices by validating array indices against array bounds before memory access operations, aligning with security best practices for kernel development and the principles outlined in the Linux kernel security guidelines.

Responsible

Linux

Reservation

09/11/2024

Disclosure

09/27/2024

Moderation

accepted

CPE

ready

EPSS

0.00260

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!