LiveActive security incident?Get immediate response
CVE Record

CVE-2024-46831: net: microchip: vcap: Fix use-after-free error in kunit test

In the Linux kernel, the following vulnerability has been resolved: net: microchip: vcap: Fix use-after-free error in kunit test This is a clear use-after-free error. We remove it, and rely on checking the return code of vcap_del_rule.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysislow

Security readout for executives and security teams

Plain-English summary

CVE-2024-46831 is a Linux kernel issue described as a use-after-free in a Microchip VCAP KUnit test. The available sources frame it as test-code cleanup, not a demonstrated production attack path. Business urgency is low unless your organization builds, tests, or maintains affected Linux kernel trees.

Executive priority

Handle through normal kernel maintenance unless internal CI or product engineering depends on affected Linux kernel test code. There is no source-backed evidence of active exploitation or a production attack path.

Technical view

The kernel fix removes a use-after-free in the Microchip VCAP KUnit test and relies on the return code from vcap_del_rule. The CVE source lists affected Linux kernel versions or commits, but provides no CVSS, CWE, exploitability details, or runtime impact beyond the KUnit test context.

Likely exposure

Exposure appears most likely in Linux kernel source trees, CI systems, or vendor kernels that include the affected Microchip VCAP KUnit test code. The provided evidence does not establish remote, local privilege, or production runtime exposure.

Exploitation context

The source bundle does not report active exploitation, and KEV is false. No cited source describes public exploit code, attacker prerequisites, or weaponized behavior. Treat exploitation context as unproven based on current evidence.

Researcher notes

The CVE record is sparse. The strongest evidence is the kernel description: a clear use-after-free in a KUnit test fixed by removing the unsafe behavior. Additional impact analysis would require reviewing the linked commits and vendor backport status.

Mitigation direction

  • Update affected Linux kernel trees to include the referenced stable fixes.
  • Follow your Linux distribution or device vendor advisory for packaged kernels.
  • Prioritize kernel CI and source-maintenance environments using KUnit tests.
  • Do not infer network exposure without vendor evidence.

Validation and detection

  • Inventory Linux kernel versions and source commits in maintained builds.
  • Check whether referenced stable commits are present in your kernel tree.
  • Review distro or vendor advisories for backported fixes.
  • Confirm whether Microchip VCAP KUnit tests run in CI.
Prepared
Confidence
medium
Sources
5

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2024-46831 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
4Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxc956b9b318d9036701c471dd458f9ed31defc629, c956b9b318d9036701c471dd458f9ed31defc629, c956b9b318d9036701c471dd458f9ed31defc629unaffected
LinuxLinux6.2, 0, 6.6.51, 6.10.10, 6.11affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.