LiveActive security incident?Get immediate response
CVE Record

CVE-2024-46750: PCI: Add missing bridge lock to pci_bus_lock()

In the Linux kernel, the following vulnerability has been resolved: PCI: Add missing bridge lock to pci_bus_lock() One of the true positives that the cfg_access_lock lockdep effort identified is this sequence: WARNING: CPU: 14 PID: 1 at drivers/pci/pci.c:4886 pci_bridge_secondary_bus_reset+0x5d/0x70 RIP: 0010:pci_bridge_secondary_bus_reset+0x5d/0x70 Call Trace: <TASK> ? __warn+0x8c/0x190 ? pci_bridge_secondary_bus_reset+0x5d/0x70 ? report_bug+0x1f8/0x200 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x18/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? pci_bridge_secondary_bus_reset+0x5d/0x70 pci_reset_bus+0x1d8/0x270 vmd_probe+0x778/0xa10 pci_device_probe+0x95/0x120 Where pci_reset_bus() users are triggering unlocked secondary bus resets. Ironically pci_bus_reset(), several calls down from pci_reset_bus(), uses pci_bus_lock() before issuing the reset which locks everything *but* the bridge itself. For the same motivation as adding: bridge = pci_upstream_bridge(dev); if (bridge) pci_dev_lock(bridge); to pci_reset_function() for the "bus" and "cxl_bus" reset cases, add pci_dev_lock() for @bus->self to pci_bus_lock(). [bhelgaas: squash in recursive locking deadlock fix from Keith Busch: https://lore.kernel.org/r/20240711193650.701834-1-kbusch@meta.com]

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

CVE-2024-46750 is a Linux kernel PCI locking flaw. During some PCI bus reset paths, the kernel failed to lock the bridge device, which could allow unsafe concurrent reset behavior. The public record frames this as a kernel correctness and stability fix, not a confirmed remote compromise issue.

Executive priority

Treat this as a routine-to-moderate kernel maintenance item unless your environment depends on affected Linux-based appliances or PCI-heavy infrastructure. There is no sourced evidence of exploitation, but kernel stability defects still warrant timely patching through normal maintenance windows.

Technical view

The issue is in Linux PCI reset locking. pci_bus_lock() locked devices below a bus but missed bus->self, the bridge itself. Lockdep identified unlocked secondary bus resets through pci_reset_bus() and vmd_probe(). Stable fixes add bridge locking while avoiding recursive locking deadlock.

Likely exposure

Exposure is limited to systems running affected Linux kernel builds with the vulnerable PCI code. The bundle does not prove that every Linux deployment is practically reachable; validate kernel package versions, vendor backports, and whether the fix is included in your distribution.

Exploitation context

No source in the bundle reports active exploitation, and KEV is false. The evidence describes an internal kernel locking defect found by lockdep, with call traces around PCI/VMD reset handling. Practical exploitability, attacker prerequisites, and impact are not specified in the provided sources.

Researcher notes

The key technical point is missing locking of bus->self in pci_bus_lock(). The source bundle provides fix commits and advisory references but lacks CVSS, CWE, exploit prerequisites, or demonstrated impact. Version status appears incomplete, so rely on vendor backport evidence rather than raw upstream version strings alone.

Mitigation direction

  • Update to a vendor kernel release containing the stable PCI locking fix.
  • Apply Debian LTS or distribution security updates where applicable.
  • Check Siemens advisories for affected industrial products using bundled Linux kernels.
  • Avoid direct wrangler-style assumptions; follow your OS or device vendor guidance.
  • Track kernel stable commits listed in the CVE record for backport confirmation.

Validation and detection

  • Inventory Linux kernel versions across servers, appliances, and embedded devices.
  • Confirm whether vendor packages include the referenced stable commits or equivalent backports.
  • Review distribution security advisories for CVE-2024-46750 coverage.
  • Prioritize systems using PCI reset paths, VMD, or vendor appliances named in advisories.
  • Document exceptions where vendor guidance is unavailable or deferred.
Prepared
Confidence
medium
Sources
11

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2024-46750 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
3ADP providers
14Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
CVECVE Program Container
siemens-SADPADP container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux090a3c5322e900f468b3205b76d0837003ad57b2, 090a3c5322e900f468b3205b76d0837003ad57b2, 090a3c5322e900f468b3205b76d0837003ad57b2, 090a3c5322e900f468b3205b76d0837003ad57b2, 090a3c5322e900f468b3205b76d0837003ad57b2, 090a3c5322e900f468b3205b76d0837003ad57b2, 090a3c5322e900f468b3205b76d0837003ad57b2, 090a3c5322e900f468b3205b76d0837003ad57b2unaffected
LinuxLinux3.12, 0, 4.19.322, 5.4.284, 5.10.226, 5.15.167, 6.1.110, 6.6.51, 6.10.10, 6.11affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.