VYPR
← All advisories
High severity7.1NVD Advisory· Published Sep 18, 2024· Updated May 12, 2026

CVE-2024-46743

CVE-2024-46743

Description

In the Linux kernel, the following vulnerability has been resolved:

of/irq: Prevent device address out-of-bounds read in interrupt map walk

When of_irq_parse_raw() is invoked with a device address smaller than the interrupt parent node (from #address-cells property), KASAN detects the following out-of-bounds read when populating the initial match table (dyndbg="func of_irq_parse_* +p"):

OF: of_irq_parse_one: dev=/soc@0/picasso/watchdog, index=0 OF: parent=/soc@0/pci@878000000000/gpio0@17,0, intsize=2 OF: intspec=4 OF: of_irq_parse_raw: ipar=/soc@0/pci@878000000000/gpio0@17,0, size=2 OF: -> addrsize=3 ================================================================== BUG: KASAN: slab-out-of-bounds in of_irq_parse_raw+0x2b8/0x8d0 Read of size 4 at addr ffffff81beca5608 by task bash/764

CPU: 1 PID: 764 Comm: bash Tainted: G O 6.1.67-484c613561-nokia_sm_arm64 #1 Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.01-12.24.03-dirty 01/01/2023 Call trace: dump_backtrace+0xdc/0x130 show_stack+0x1c/0x30 dump_stack_lvl+0x6c/0x84 print_report+0x150/0x448 kasan_report+0x98/0x140 __asan_load4+0x78/0xa0 of_irq_parse_raw+0x2b8/0x8d0 of_irq_parse_one+0x24c/0x270 parse_interrupts+0xc0/0x120 of_fwnode_add_links+0x100/0x2d0 fw_devlink_parse_fwtree+0x64/0xc0 device_add+0xb38/0xc30 of_device_add+0x64/0x90 of_platform_device_create_pdata+0xd0/0x170 of_platform_bus_create+0x244/0x600 of_platform_notify+0x1b0/0x254 blocking_notifier_call_chain+0x9c/0xd0 __of_changeset_entry_notify+0x1b8/0x230 __of_changeset_apply_notify+0x54/0xe4 of_overlay_fdt_apply+0xc04/0xd94 ...

The buggy address belongs to the object at ffffff81beca5600 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 8 bytes inside of 128-byte region [ffffff81beca5600, ffffff81beca5680)

The buggy address belongs to the physical page: page:00000000230d3d03 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1beca4 head:00000000230d3d03 order:1 compound_mapcount:0 compound_pincount:0 flags: 0x8000000000010200(slab|head|zone=2) raw: 8000000000010200 0000000000000000 dead000000000122 ffffff810000c300 raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected

Memory state around the buggy address: ffffff81beca5500: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffffff81beca5580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffffff81beca5600: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffffff81beca5680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffffff81beca5700: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ================================================================== OF: -> got it !

Prevent the out-of-bounds read by copying the device address into a buffer of sufficient size.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel, an out-of-bounds read in of_irq_parse_raw() can occur due to mismatched address sizes, potentially leading to information disclosure or crash.

Vulnerability

Description The vulnerability resides in the Linux kernel's interrupt parsing function of_irq_parse_raw(). When a device address in the interrupt specifier is smaller than the address size expected by the interrupt parent node (as defined by #address-cells), the function performs an out-of-bounds read. This was detected by KASAN as a slab-out-of-bounds access, indicating a lack of proper size validation during the interrupt map walk [1].

Exploitation

Prerequisites To exploit this, an attacker must be able to trigger a scenario where of_irq_parse_raw() is called with an undersized device address. This could occur via device tree overlay application, hotplug events, or other operations that manipulate the device tree. Local access or the ability to inject device tree changes is required; no network-based exploitation is described.

Impact

Successful exploitation allows an attacker to read out-of-bounds kernel memory, which may leak sensitive information or cause a kernel panic (denial of service). The CVSS v3 base score of 7.1 (High) reflects the potential for information disclosure combined with low attack complexity [1].

Mitigation

The fix has been committed to the Linux kernel stable tree [4]. Users should update their kernel to a version containing the patch. Siemens has also released an advisory (SSA-265688) confirming that affected products like SIMATIC S7-1500 TM MFP GNU/Linux subsystem should apply updates [1]. No workaround is available; patching is required.

References
  1. SSA-265688
  2. Making sure you're not a bot!

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

112

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

13

News mentions

0

No linked articles in our index yet.