LiveActive security incident?Get immediate response
CVE Record

CVE-2024-42240: x86/bhi: Avoid warning in #DB handler due to BHI mitigation

In the Linux kernel, the following vulnerability has been resolved: x86/bhi: Avoid warning in #DB handler due to BHI mitigation When BHI mitigation is enabled, if SYSENTER is invoked with the TF flag set then entry_SYSENTER_compat() uses CLEAR_BRANCH_HISTORY and calls the clear_bhb_loop() before the TF flag is cleared. This causes the #DB handler (exc_debug_kernel()) to issue a warning because single-step is used outside the entry_SYSENTER_compat() function. To address this issue, entry_SYSENTER_compat() should use CLEAR_BRANCH_HISTORY after making sure the TF flag is cleared. The problem can be reproduced with the following sequence: $ cat sysenter_step.c int main() { asm("pushf; pop %ax; bts $8,%ax; push %ax; popf; sysenter"); } $ gcc -o sysenter_step sysenter_step.c $ ./sysenter_step Segmentation fault (core dumped) The program is expected to crash, and the #DB handler will issue a warning. Kernel log: WARNING: CPU: 27 PID: 7000 at arch/x86/kernel/traps.c:1009 exc_debug_kernel+0xd2/0x160 ... RIP: 0010:exc_debug_kernel+0xd2/0x160 ... Call Trace: <#DB> ? show_regs+0x68/0x80 ? __warn+0x8c/0x140 ? exc_debug_kernel+0xd2/0x160 ? report_bug+0x175/0x1a0 ? handle_bug+0x44/0x90 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? exc_debug_kernel+0xd2/0x160 exc_debug+0x43/0x50 asm_exc_debug+0x1e/0x40 RIP: 0010:clear_bhb_loop+0x0/0xb0 ... </#DB> <TASK> ? entry_SYSENTER_compat_after_hwframe+0x6e/0x8d </TASK> [ bp: Massage commit message. ]

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

This Linux kernel issue can cause a kernel warning when a specific x86 compatibility-system-call path interacts with BHI mitigation. The public record describes a warning, not data theft or remote compromise. Business urgency is mainly patch hygiene for exposed Linux fleets, especially where kernel warning policies could affect availability or monitoring noise.

Executive priority

Treat as a routine-to-moderate Linux kernel update unless your environment turns kernel warnings into service disruption. No cited source supports emergency response for active exploitation, but kernel maintenance should remain timely.

Technical view

On x86, entry_SYSENTER_compat() invoked with the trap flag set could run CLEAR_BRANCH_HISTORY before clearing TF. With BHI mitigation enabled, clear_bhb_loop() could be single-stepped, causing exc_debug_kernel() to warn. The fix reorders branch-history clearing until after TF is cleared.

Likely exposure

Exposure appears limited to affected Linux kernel versions on x86 systems using the relevant SYSENTER compatibility path with BHI mitigation enabled. The bundle lists Linux as affected, but downstream distro package status must be verified from vendor advisories.

Exploitation context

The source bundle provides a local reproduction scenario that triggers a warning. It does not cite active exploitation, KEV listing, remote attackability, privilege escalation, or a public weaponized exploit. KEV is false in the provided data.

Researcher notes

The important behavior is ordering in entry_SYSENTER_compat(): CLEAR_BRANCH_HISTORY must occur after TF is cleared. Public evidence describes a warning path, not confirmed privilege impact. Affected-version data in the bundle is incomplete for downstream packages.

Mitigation direction

  • Update affected Linux kernels to vendor-fixed builds containing the referenced stable commits.
  • Check Debian LTS and other distribution advisories for exact package versions.
  • Prioritize systems where kernel WARN conditions affect uptime or alerting.
  • Avoid direct wrangler or deployment relevance; this is an OS kernel maintenance item.

Validation and detection

  • Inventory Linux kernel versions across x86 hosts and compare with vendor advisories.
  • Confirm whether BHI mitigation is enabled on affected kernel lines.
  • Review kernel logs for related #DB or exc_debug_kernel warnings.
  • Verify installed kernel packages include the referenced stable fixes.
Prepared
Confidence
medium
Sources
8

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2024-42240 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
2ADP providers
7Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
CVECVE Program Container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxbd53ec80f21839cfd4d852a6088279d602d67e5b, 07dbb10f153f483e8249acebdffedf922e2ec2e1, eb36b0dce2138581bc6b5e39d0273cb4c96ded81, 7390db8aea0d64e9deb28b8e1ce716f5020c7ee5, 7390db8aea0d64e9deb28b8e1ce716f5020c7ee5, 8f51637712e4da5be410a1666f8aee0d86eef898, 5.15.154, 6.1.85, 6.6.26, 6.8.5unaffected
LinuxLinux6.9, 0, 5.15.163, 6.1.100, 6.6.41, 6.9.10, 6.10affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.