LiveActive security incident?Get immediate response
CVE Record

CVE-2024-46845: tracing/timerlat: Only clear timer if a kthread exists

In the Linux kernel, the following vulnerability has been resolved: tracing/timerlat: Only clear timer if a kthread exists The timerlat tracer can use user space threads to check for osnoise and timer latency. If the program using this is killed via a SIGTERM, the threads are shutdown one at a time and another tracing instance can start up resetting the threads before they are fully closed. That causes the hrtimer assigned to the kthread to be shutdown and freed twice when the dying thread finally closes the file descriptors, causing a use-after-free bug. Only cancel the hrtimer if the associated thread is still around. Also add the interface_lock around the resetting of the tlat_var->kthread. Note, this is just a quick fix that can be backported to stable. A real fix is to have a better synchronization between the shutdown of old threads and the starting of new ones.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

CVE-2024-46845 is a Linux kernel memory-safety flaw in the timerlat tracing feature. A shutdown race can make the kernel free a high-resolution timer twice, creating a use-after-free condition. The sources do not show remote exploitation, public exploit use, or a CVSS score.

Executive priority

Treat as a kernel patch-management item, not an emergency internet-facing incident based on current evidence. Prioritize systems where tracing is enabled, exposed to less-trusted local users, or used in production latency monitoring.

Technical view

The timerlat tracer can run user-space latency threads. If a program is terminated while threads are closing, a new tracing instance can reset state before shutdown completes. That can lead to double shutdown/free of an hrtimer tied to a kthread. The stable fix only cancels the timer when the kthread still exists and adds locking around kthread reset.

Likely exposure

Exposure appears limited to Linux systems running affected kernels where timerlat tracing is used or accessible. The source bundle lists affected Linux versions and stable commits, but does not define access prerequisites, distribution package status, or whether unprivileged users can reach the vulnerable path.

Exploitation context

CISA KEV status is false in the source bundle. No cited source states active exploitation, public exploit availability, or remote attack capability. The described condition is a race during timerlat thread shutdown and restart, triggered around SIGTERM and file descriptor closure.

Researcher notes

Evidence supports a kernel use-after-free caused by timerlat shutdown/restart synchronization gaps. The source explicitly calls the patch a quick backportable fix and notes broader synchronization work would be a more complete design fix. Access requirements and exploitability are not established in the provided sources.

Mitigation direction

  • Update affected Linux kernels to vendor-supported builds containing the stable fixes.
  • Check distribution advisories for package names, fixed builds, and reboot requirements.
  • Restrict access to kernel tracing interfaces unless operationally required.
  • Monitor systems using timerlat or osnoise tracing for unusual crashes or instability.

Validation and detection

  • Inventory kernel versions across Linux hosts and appliances.
  • Identify hosts using timerlat, osnoise, or tracing workloads.
  • Compare installed kernels with vendor advisories and stable fix references.
  • Confirm patched hosts have rebooted into the fixed kernel.
Prepared
Confidence
medium
Sources
5

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2024-46845 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
4Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxe88ed227f639ebcb31ed4e5b88756b47d904584b, e88ed227f639ebcb31ed4e5b88756b47d904584b, e88ed227f639ebcb31ed4e5b88756b47d904584bunaffected
LinuxLinux6.5, 0, 6.6.51, 6.10.10, 6.11affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.