CVE-2024-46845 in Linux
Summary
by MITRE • 09/27/2024
In the Linux kernel, the following vulnerability has been resolved:
tracing/timerlat: Only clear timer if a kthread exists
The timerlat tracer can use user space threads to check for osnoise and timer latency. If the program using this is killed via a SIGTERM, the threads are shutdown one at a time and another tracing instance can start up resetting the threads before they are fully closed. That causes the hrtimer assigned to the kthread to be shutdown and freed twice when the dying thread finally closes the file descriptors, causing a use-after-free bug.
Only cancel the hrtimer if the associated thread is still around. Also add the interface_lock around the resetting of the tlat_var->kthread.
Note, this is just a quick fix that can be backported to stable. A real fix is to have a better synchronization between the shutdown of old threads and the starting of new ones.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/05/2026
The vulnerability identified as CVE-2024-46845 resides within the Linux kernel's tracing subsystem, specifically affecting the timerlat tracer functionality that monitors operating system noise and timer latency. This tracer employs user-space threads to perform its monitoring duties, creating a complex interaction between kernel and user-space components that introduces potential race conditions and memory management issues. The flaw manifests when processes utilizing this tracing mechanism are terminated through SIGTERM signals, which triggers a cascade of thread shutdown operations that can result in improper resource cleanup and subsequent memory corruption.
The technical root cause stems from a race condition in the timerlat tracer's thread management logic where the high-resolution timer associated with a kernel thread gets prematurely cancelled and freed before the thread has fully terminated. When a process using the tracer is killed, the threads are shut down sequentially, but another tracing instance may attempt to reset the threads before the previous shutdown operations have completed. This timing issue leads to the hrtimer being cancelled and freed twice, creating a use-after-free condition that represents a critical memory corruption vulnerability. The vulnerability specifically affects the interaction between the kernel's timer subsystem and the tracing infrastructure, where proper synchronization between thread lifecycle management and timer cleanup operations is lacking.
The operational impact of this vulnerability extends beyond simple memory corruption, potentially enabling privilege escalation and system instability. An attacker who can control a process using the timerlat tracer could exploit this race condition to execute arbitrary code with kernel privileges, as the use-after-free condition could be leveraged to corrupt kernel memory structures and manipulate execution flow. The vulnerability affects systems running affected kernel versions where the timerlat tracer functionality is enabled, particularly those utilizing tracing capabilities for performance monitoring or debugging purposes. The instability introduced by this flaw could also lead to system crashes or denial of service conditions, making it a significant concern for production environments.
The proposed fix implements a simple but effective mitigation by adding a check to ensure that the hrtimer is only cancelled when the associated thread still exists, preventing the double-free scenario. Additionally, the solution introduces interface_lock protection around the thread resetting operations to provide proper synchronization. This approach addresses the immediate race condition while maintaining backward compatibility and allowing the fix to be backported to stable kernel releases. However, the fix acknowledges that this represents only a temporary solution, with the recommended long-term approach being the implementation of better synchronization mechanisms between thread shutdown and startup operations. This vulnerability aligns with CWE-415, representing an improper shutdown of a resource, and could be categorized under ATT&CK technique T1059 for command and script interpretation, as exploitation might involve crafting specific process termination sequences. The fix demonstrates the importance of proper resource management in kernel-level code and highlights the complexity of synchronization in concurrent systems where multiple components must coordinate their lifecycle operations.