Linux Kernel up to 6.12.4 AMD GPU debug_dma_map_sg memory corruption

CVSS Meta Temp Score
CVSS is a standardized scoring system to determine possibilities of attacks. The Temp Score considers temporal factors like disclosure, exploit and countermeasures. The unique Meta Score calculates the average score of different sources to provide a normalized scoring system.
Current Exploit Price (≈)
Our analysts are monitoring exploit markets and are in contact with vulnerability brokers. The range indicates the observed or calculated exploit price to be seen on exploit markets. A good indicator to understand the monetary effort required for and the popularity of an attack.
CTI Interest Score
Our Cyber Threat Intelligence team is monitoring different web sites, mailing lists, exploit markets and social media networks. The CTI Interest Score identifies the interest of attackers and the security community for this specific vulnerability in real-time. A high score indicates an elevated risk to be targeted for this vulnerability.
6.6$0-$5k0.00

Summaryinfo

A vulnerability was found in Linux Kernel up to 6.12.4 and classified as critical. Impacted is the function debug_dma_map_sg of the component AMD GPU. Such manipulation leads to memory corruption. This vulnerability is referenced as CVE-2024-56594. No exploit is available. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability was found in Linux Kernel up to 6.12.4 and classified as critical. Affected by this issue is the function debug_dma_map_sg of the component AMD GPU. The manipulation with an unknown input leads to a memory corruption vulnerability. Using CWE to declare the problem leads to CWE-119. The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. Impacted is confidentiality, integrity, and availability. CVE summarizes:

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: set the right AMDGPU sg segment limitation The driver needs to set the correct max_segment_size; otherwise debug_dma_map_sg() will complain about the over-mapping of the AMDGPU sg length as following: WARNING: CPU: 6 PID: 1964 at kernel/dma/debug.c:1178 debug_dma_map_sg+0x2dc/0x370 [ 364.049444] Modules linked in: veth amdgpu(OE) amdxcp drm_exec gpu_sched drm_buddy drm_ttm_helper ttm(OE) drm_suballoc_helper drm_display_helper drm_kms_helper i2c_algo_bit rpcsec_gss_krb5 auth_rpcgss nfsv4 nfs lockd grace netfs xt_conntrack xt_MASQUERADE nf_conntrack_netlink xfrm_user xfrm_algo iptable_nat xt_addrtype iptable_filter br_netfilter nvme_fabrics overlay nfnetlink_cttimeout nfnetlink openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c bridge stp llc amd_atl intel_rapl_msr intel_rapl_common sunrpc sch_fq_codel snd_hda_codec_realtek snd_hda_codec_generic snd_hda_scodec_component snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg edac_mce_amd binfmt_misc snd_hda_codec snd_pci_acp6x snd_hda_core snd_acp_config snd_hwdep snd_soc_acpi kvm_amd snd_pcm kvm snd_seq_midi snd_seq_midi_event crct10dif_pclmul ghash_clmulni_intel sha512_ssse3 snd_rawmidi sha256_ssse3 sha1_ssse3 aesni_intel snd_seq nls_iso8859_1 crypto_simd snd_seq_device cryptd snd_timer rapl input_leds snd [ 364.049532] ipmi_devintf wmi_bmof ccp serio_raw k10temp sp5100_tco soundcore ipmi_msghandler cm32181 industrialio mac_hid msr parport_pc ppdev lp parport drm efi_pstore ip_tables x_tables pci_stub crc32_pclmul nvme ahci libahci i2c_piix4 r8169 nvme_core i2c_designware_pci realtek i2c_ccgx_ucsi video wmi hid_generic cdc_ether usbnet usbhid hid r8152 mii [ 364.049576] CPU: 6 PID: 1964 Comm: rocminfo Tainted: G OE 6.10.0-custom #492 [ 364.049579] Hardware name: AMD Majolica-RN/Majolica-RN, BIOS RMJ1009A 06/13/2021 [ 364.049582] RIP: 0010:debug_dma_map_sg+0x2dc/0x370 [ 364.049585] Code: 89 4d b8 e8 36 b1 86 00 8b 4d b8 48 8b 55 b0 44 8b 45 a8 4c 8b 4d a0 48 89 c6 48 c7 c7 00 4b 74 bc 4c 89 4d b8 e8 b4 73 f3 ff 0b 4c 8b 4d b8 8b 15 c8 2c b8 01 85 d2 0f 85 ee fd ff ff 8b 05 [ 364.049588] RSP: 0018:ffff9ca600b57ac0 EFLAGS: 00010286 [ 364.049590] RAX: 0000000000000000 RBX: ffff88b7c132b0c8 RCX: 0000000000000027 [ 364.049592] RDX: ffff88bb0f521688 RSI: 0000000000000001 RDI: ffff88bb0f521680 [ 364.049594] RBP: ffff9ca600b57b20 R08: 000000000000006f R09: ffff9ca600b57930 [ 364.049596] R10: ffff9ca600b57928 R11: ffffffffbcb46328 R12: 0000000000000000 [ 364.049597] R13: 0000000000000001 R14: ffff88b7c19c0700 R15: ffff88b7c9059800 [ 364.049599] FS: 00007fb2d3516e80(0000) GS:ffff88bb0f500000(0000) knlGS:0000000000000000 [ 364.049601] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 364.049603] CR2: 000055610bd03598 CR3: 00000001049f6000 CR4: 0000000000350ef0 [ 364.049605] Call Trace: [ 364.049607] [ 364.049609] ? show_regs+0x6d/0x80 [ 364.049614] ? __warn+0x8c/0x140 [ 364.049618] ? debug_dma_map_sg+0x2dc/0x370 [ 364.049621] ? report_bug+0x193/0x1a0 [ 364.049627] ? handle_bug+0x46/0x80 [ 364.049631] ? exc_invalid_op+0x1d/0x80 [ 364.049635] ? asm_exc_invalid_op+0x1f/0x30 [ 364.049642] ? debug_dma_map_sg+0x2dc/0x370 [ 364.049647] __dma_map_sg_attrs+0x90/0xe0 [ 364.049651] dma_map_sgtable+0x25/0x40 [ 364.049654] amdgpu_bo_move+0x59a/0x850 [amdgpu] [ 364.049935] ? srso_return_thunk+0x5/0x5f [ 364.049939] ? amdgpu_ttm_tt_populate+0x5d/0xc0 [amdgpu] [ 364.050095] ttm_bo_handle_move_mem+0xc3/0x180 [ttm] [ 364.050103] ttm_bo_validate+0xc1/0x160 [ttm] [ 364.050108] ? amdgpu_ttm_tt_get_user_pages+0xe5/0x1b0 [amdgpu] [ 364.050263] amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0xa12/0xc90 [amdgpu] [ 364.050473] kfd_ioctl_alloc_memory_of_gpu+0x16b/0x3b0 [amdgpu] [ 364.050680] kfd_ioctl+0x3c2/0x530 [amdgpu] [ 364.050866] ? __pfx_kfd_ioctl_alloc_memory_of_gpu+0x10/0x10 [amdgpu] [ 364.05105 ---truncated---

The advisory is shared for download at git.kernel.org. This vulnerability is handled as CVE-2024-56594 since 12/27/2024. The exploitation is known to be easy. There are known technical details, but no exploit is available. The current price for an exploit might be approx. USD $0-$5k (estimation calculated on 01/05/2026).

The vulnerability scanner Nessus provides a plugin with the ID 216224 (Oracle Linux 7 / 8 : Unbreakable Enterprise kernel (ELSA-2025-20100)), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 5.4.287, 5.10.231, 5.15.174, 6.1.120, 6.6.66 or 6.12.5 eliminates this vulnerability. Applying the patch b5807a08954fdf914ef80b49aaa6cda965ecc95c/13c3a54f48a612a117dfd82a9dd91732261e869d/76581147b05c2adb6b47bbc697521725f10224e4/ff0346a74627a5f607a33a3852586f8c7f678329/b9e52a96ec92245bf15dabba1d3d862d7a03efb8/76649ccf97e2cd72b62e34ed2fba6e0f89497eab/e2e97435783979124ba92d6870415c57ecfef6a5 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the databases at Tenable (216224) and CERT Bund (WID-SEC-2024-3762). Once again VulDB remains the best source for vulnerability data.

Affected

  • Debian Linux
  • Amazon Linux 2
  • Red Hat Enterprise Linux
  • Ubuntu Linux
  • SUSE Linux
  • Oracle Linux
  • RESF Rocky Linux
  • Dell NetWorker
  • Dell Avamar
  • Red Hat OpenShift
  • IBM QRadar SIEM
  • Dell PowerProtect Data Domain
  • Open Source Linux Kernel
  • IBM DataPower Gateway
  • Dell Secure Connect Gateway

Productinfo

Type

Vendor

Name

Version

License

Website

CPE 2.3info

CPE 2.2info

CVSSv4info

VulDB Vector: 🔍
VulDB Reliability: 🔍

CVSSv3info

VulDB Meta Base Score: 6.8
VulDB Meta Temp Score: 6.6

VulDB Base Score: 8.0
VulDB Temp Score: 7.6
VulDB Vector: 🔍
VulDB Reliability: 🔍

NVD Base Score: 5.5
NVD Vector: 🔍

CVSSv2info

AVACAuCIA
💳💳💳💳💳💳
💳💳💳💳💳💳
💳💳💳💳💳💳
VectorComplexityAuthenticationConfidentialityIntegrityAvailability
UnlockUnlockUnlockUnlockUnlockUnlock
UnlockUnlockUnlockUnlockUnlockUnlock
UnlockUnlockUnlockUnlockUnlockUnlock

VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍

Exploitinginfo

Class: Memory corruption
CWE: CWE-119
CAPEC: 🔍
ATT&CK: 🔍

Physical: Partially
Local: Yes
Remote: Partially

Availability: 🔍
Status: Not defined

EPSS Score: 🔍
EPSS Percentile: 🔍

Price Prediction: 🔍
Current Price Estimation: 🔍

0-DayUnlockUnlockUnlockUnlock
TodayUnlockUnlockUnlockUnlock

Nessus ID: 216224
Nessus Name: Oracle Linux 7 / 8 : Unbreakable Enterprise kernel (ELSA-2025-20100)

Threat Intelligenceinfo

Interest: 🔍
Active Actors: 🔍
Active APT Groups: 🔍

Countermeasuresinfo

Recommended: Upgrade
Status: 🔍

0-Day Time: 🔍

Upgrade: Kernel 5.4.287/5.10.231/5.15.174/6.1.120/6.6.66/6.12.5
Patch: b5807a08954fdf914ef80b49aaa6cda965ecc95c/13c3a54f48a612a117dfd82a9dd91732261e869d/76581147b05c2adb6b47bbc697521725f10224e4/ff0346a74627a5f607a33a3852586f8c7f678329/b9e52a96ec92245bf15dabba1d3d862d7a03efb8/76649ccf97e2cd72b62e34ed2fba6e0f89497eab/e2e97435783979124ba92d6870415c57ecfef6a5

Timelineinfo

12/27/2024 🔍
12/27/2024 +0 days 🔍
12/27/2024 +0 days 🔍
01/05/2026 +374 days 🔍

Sourcesinfo

Vendor: kernel.org

Advisory: git.kernel.org
Status: Confirmed

CVE: CVE-2024-56594 (🔍)
GCVE (CVE): GCVE-0-2024-56594
GCVE (VulDB): GCVE-100-289580
CERT Bund: WID-SEC-2024-3762 - Linux Kernel: Mehrere Schwachstellen ermöglichen Denial of Service

Entryinfo

Created: 12/27/2024 18:53
Updated: 01/05/2026 07:56
Changes: 12/27/2024 18:53 (59), 02/13/2025 12:41 (2), 07/25/2025 03:24 (7), 10/08/2025 21:50 (12), 01/05/2026 07:56 (1)
Complete: 🔍
Cache ID: 216::103

Once again VulDB remains the best source for vulnerability data.

Discussion

No comments yet. Languages: en.

Please log in to comment.

PreviousOverviewNext

Do you know our Splunk app?

Download it now for free!