CVE-2024-46745: Input: uinput - reject requests with unreasonable number of slots
In the Linux kernel, the following vulnerability has been resolved:
Input: uinput - reject requests with unreasonable number of slots
When exercising uinput interface syzkaller may try setting up device
with a really large number of slots, which causes memory allocation
failure in input_mt_init_slots(). While this allocation failure is
handled properly and request is rejected, it results in syzkaller
reports. Additionally, such request may put undue burden on the
system which will try to free a lot of memory for a bogus request.
Fix it by limiting allowed number of slots to 100. This can easily
be extended if we see devices that can track more than 100 contacts.
Security readout for executives and security teams
Plain-English summary
CVE-2024-46745 is a Linux kernel uinput issue where an unrealistic number of multitouch slots can force large memory-allocation attempts. The request is rejected, but the attempt can still burden the system. Sources do not show active exploitation or a CVSS score.
Executive priority
Treat this as routine kernel hygiene unless uinput is exposed to untrusted local workloads. It does not currently justify emergency response based on the provided evidence, but it should be included in normal kernel patch cycles.
Technical view
The flaw is in Linux input/uinput handling. Very large slot counts reach input_mt_init_slots(), causing allocation failure and system pressure. The upstream fix caps allowed slots at 100, with multiple stable-kernel backport commits referenced by the CVE record.
Likely exposure
Exposure is most relevant on Linux systems where untrusted users, software, or workloads can exercise the uinput interface. Internet-facing exposure is not indicated by the sources. Appliances or distributions using affected kernel branches may also depend on vendor backports.
Exploitation context
The source bundle describes syzkaller-triggered behavior, not real-world exploitation. CISA KEV status is false, and no cited source claims active exploitation. Practical impact appears to be local resource pressure or denial-of-service risk rather than data theft.
Researcher notes
Evidence is limited to the CVE description, stable kernel commits, and vendor advisories. The affected-version data in the bundle is not fully normalized, so rely on vendor kernel status and commit presence rather than version strings alone.
Mitigation direction
Upgrade to a vendor kernel containing the uinput slot-limit fix.
Check Debian LTS and other vendor advisories for backported kernel packages.
Limit uinput access to trusted users and workloads where operationally possible.
Track Siemens or appliance advisories if affected products use embedded Linux.
Do not deploy custom kernel builds without confirming the relevant stable commit is included.
Validation and detection
Inventory Linux kernel versions across servers, workstations, containers, and appliances.
Confirm the running kernel includes the uinput change limiting slots to 100.
Review device and container permissions for access to the uinput interface.
Check vendor advisories for product-specific fixed versions or mitigations.
Prioritize systems running untrusted local workloads or broad device access policies.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2024-46745 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.