Linux Kernel up to 6.12.7 ibt_clear_fred_wfe assertion

Summaryinfo

A vulnerability marked as problematic has been reported in Linux Kernel up to 6.12.7. This affects the function ibt_clear_fred_wfe. This manipulation causes assertion. This vulnerability is tracked as CVE-2024-56761. No exploit exists. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability classified as problematic was found in Linux Kernel up to 6.12.7. Affected by this vulnerability is the function ibt_clear_fred_wfe. The manipulation with an unknown input leads to a assertion vulnerability. The CWE definition for the vulnerability is CWE-617. The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. The impact remains unknown. The summary by CVE is:

In the Linux kernel, the following vulnerability has been resolved: x86/fred: Clear WFE in missing-ENDBRANCH #CPs An indirect branch instruction sets the CPU indirect branch tracker (IBT) into WAIT_FOR_ENDBRANCH (WFE) state and WFE stays asserted across the instruction boundary. When the decoder finds an inappropriate instruction while WFE is set ENDBR, the CPU raises a #CP fault. For the "kernel IBT no ENDBR" selftest where #CPs are deliberately triggered, the WFE state of the interrupted context needs to be cleared to let execution continue. Otherwise when the CPU resumes from the instruction that just caused the previous #CP, another missing-ENDBRANCH #CP is raised and the CPU enters a dead loop. This is not a problem with IDT because it doesn't preserve WFE and IRET doesn't set WFE. But FRED provides space on the entry stack (in an expanded CS area) to save and restore the WFE state, thus the WFE state is no longer clobbered, so software must clear it. Clear WFE to avoid dead looping in ibt_clear_fred_wfe() and the !ibt_fatal code path when execution is allowed to continue. Clobbering WFE in any other circumstance is a security-relevant bug. [ dhansen: changelog rewording ]

It is possible to read the advisory at git.kernel.org. This vulnerability is known as CVE-2024-56761 since 12/29/2024. Technical details of the vulnerability are known, but there is no available exploit.

The vulnerability scanner Nessus provides a plugin with the ID 230681 (Linux Distros Unpatched Vulnerability : CVE-2024-56761), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 6.12.8 eliminates this vulnerability. Applying the patch b939f108e86b76119428a6fa4e92491e09ac7867/dc81e556f2a017d681251ace21bf06c126d5a192 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the databases at Tenable (230681) and CERT Bund (WID-SEC-2025-0016). Be aware that VulDB is the high quality source for vulnerability data.

Affected

• Debian Linux
• Red Hat Enterprise Linux
• Ubuntu Linux
• SUSE Linux
• Oracle Linux
• Dell NetWorker
• Dell Avamar
• Dell PowerProtect Data Domain
• Open Source Linux Kernel

Productinfo

Type

• Operating System

Vendor

• Linux

Name

• Kernel

Version

• 6.12.0
• 6.12.1
• 6.12.2
• 6.12.3
• 6.12.4
• 6.12.5
• 6.12.6
• 6.12.7

License

• open-source

Website

• Vendor: https://www.kernel.org/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Be aware that VulDB is the high quality source for vulnerability data.

Discussion