NULL Pointer Dereference Affecting kernel-modules-extra-common package, versions <0:6.1.111-120.187.amzn2023


Severity

Recommended
high

Based on Amazon Linux security rating.

Threat Intelligence

EPSS
0.04% (6th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about NULL Pointer Dereference vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-AMZN2023-KERNELMODULESEXTRACOMMON-8321264
  • published1 Nov 2024
  • disclosed27 Sept 2024

Introduced: 27 Sep 2024

CVE-2024-46822  (opens in a new tab)
CWE-476  (opens in a new tab)

How to fix?

Upgrade Amazon-Linux:2023 kernel-modules-extra-common to version 0:6.1.111-120.187.amzn2023 or higher.
This issue was patched in ALAS2023-2024-755.

NVD Description

Note: Versions mentioned in the description apply only to the upstream kernel-modules-extra-common package and not the kernel-modules-extra-common package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2023 relevant fixed versions and status.

In the Linux kernel, the following vulnerability has been resolved:

arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry

In a review discussion of the changes to support vCPU hotplug where a check was added on the GICC being enabled if was online, it was noted that there is need to map back to the cpu and use that to index into a cpumask. As such, a valid ID is needed.

If an MPIDR check fails in acpi_map_gic_cpu_interface() it is possible for the entry in cpu_madt_gicc[cpu] == NULL. This function would then cause a NULL pointer dereference. Whilst a path to trigger this has not been established, harden this caller against the possibility.

CVSS Scores

version 3.1