LiveActive security incident?Get immediate response
CVE Record

CVE-2024-42090: pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER

In the Linux kernel, the following vulnerability has been resolved: pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER In create_pinctrl(), pinctrl_maps_mutex is acquired before calling add_setting(). If add_setting() returns -EPROBE_DEFER, create_pinctrl() calls pinctrl_free(). However, pinctrl_free() attempts to acquire pinctrl_maps_mutex, which is already held by create_pinctrl(), leading to a potential deadlock. This patch resolves the issue by releasing pinctrl_maps_mutex before calling pinctrl_free(), preventing the deadlock. This bug was discovered and resolved using Coverity Static Analysis Security Testing (SAST) by Synopsys, Inc.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2024-42090 is a Linux kernel bug that can cause a deadlock while setting up pin control resources. In business terms, this is mainly an availability concern: affected systems could hang in specific hardware or driver initialization paths. The sources do not show active exploitation or a public severity score.

Executive priority

Handle through normal kernel patch governance unless affected devices show instability or are operationally critical. There is no cited active exploitation, but kernel deadlocks can disrupt availability, so defer only with documented vendor risk acceptance.

Technical view

The issue is in create_pinctrl(). It holds pinctrl_maps_mutex, then calls add_setting(). If add_setting() returns -EPROBE_DEFER, create_pinctrl() calls pinctrl_free(), which attempts to acquire the same mutex and can deadlock. The kernel fix releases pinctrl_maps_mutex before calling pinctrl_free().

Likely exposure

Exposure is most relevant to Linux systems using affected kernel builds and pinctrl driver paths, especially hardware-dependent environments. The bundle lists Linux kernel versions and multiple stable commits, but precise affected and fixed ranges should be confirmed against the running distribution or vendor advisory.

Exploitation context

The provided sources describe a kernel deadlock discovered by Coverity SAST. They do not provide evidence of active exploitation, public exploit availability, or inclusion in CISA KEV. Treat this as a reliability and denial-of-service risk until vendor-specific impact is confirmed.

Researcher notes

Evidence supports a mutex re-entry deadlock in the pinctrl subsystem during -EPROBE_DEFER handling. The source bundle does not include CVSS, CWE, exploitability analysis, or complete branch range semantics, so validation should rely on vendor kernel package metadata and referenced stable commits.

Mitigation direction

  • Update affected Linux kernels using your distribution or device vendor guidance.
  • Prioritize systems where pinctrl drivers are relevant to boot or device initialization.
  • Review Debian LTS and Siemens advisories if those ecosystems apply.
  • Schedule required reboots after kernel package updates.
  • Track kernel stable fixes referenced for your maintained branch.

Validation and detection

  • Inventory running kernel versions across servers, appliances, and embedded devices.
  • Map each kernel to vendor advisories or stable fix commits.
  • Confirm updated packages include the CVE-2024-42090 fix.
  • Check whether affected systems use relevant pinctrl paths or hardware drivers.
  • Monitor for boot-time or driver-probe hangs before and after patching.
Prepared
Confidence
medium
Sources
12

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2024-42090 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
3ADP providers
11Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
CISA-ADPCISA ADP Vulnrichment
other:ssvc
siemens-SADPADP container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux42fed7ba44e4e8c1fb27b28ad14490cb1daff3c7, 42fed7ba44e4e8c1fb27b28ad14490cb1daff3c7, 42fed7ba44e4e8c1fb27b28ad14490cb1daff3c7, 42fed7ba44e4e8c1fb27b28ad14490cb1daff3c7, 42fed7ba44e4e8c1fb27b28ad14490cb1daff3c7, 42fed7ba44e4e8c1fb27b28ad14490cb1daff3c7, 42fed7ba44e4e8c1fb27b28ad14490cb1daff3c7, 42fed7ba44e4e8c1fb27b28ad14490cb1daff3c7unaffected
LinuxLinux3.10, 0, 4.19.317, 5.4.279, 5.10.221, 5.15.162, 6.1.97, 6.6.37, 6.9.8, 6.10affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.