CVE-2024-46845: tracing/timerlat: Only clear timer if a kthread exists
In the Linux kernel, the following vulnerability has been resolved:
tracing/timerlat: Only clear timer if a kthread exists
The timerlat tracer can use user space threads to check for osnoise and
timer latency. If the program using this is killed via a SIGTERM, the
threads are shutdown one at a time and another tracing instance can start
up resetting the threads before they are fully closed. That causes the
hrtimer assigned to the kthread to be shutdown and freed twice when the
dying thread finally closes the file descriptors, causing a use-after-free
bug.
Only cancel the hrtimer if the associated thread is still around. Also add
the interface_lock around the resetting of the tlat_var->kthread.
Note, this is just a quick fix that can be backported to stable. A real
fix is to have a better synchronization between the shutdown of old
threads and the starting of new ones.
Security readout for executives and security teams
Plain-English summary
CVE-2024-46845 is a Linux kernel memory-safety flaw in the timerlat tracing feature. A shutdown race can make the kernel free a high-resolution timer twice, creating a use-after-free condition. The sources do not show remote exploitation, public exploit use, or a CVSS score.
Executive priority
Treat as a kernel patch-management item, not an emergency internet-facing incident based on current evidence. Prioritize systems where tracing is enabled, exposed to less-trusted local users, or used in production latency monitoring.
Technical view
The timerlat tracer can run user-space latency threads. If a program is terminated while threads are closing, a new tracing instance can reset state before shutdown completes. That can lead to double shutdown/free of an hrtimer tied to a kthread. The stable fix only cancels the timer when the kthread still exists and adds locking around kthread reset.
Likely exposure
Exposure appears limited to Linux systems running affected kernels where timerlat tracing is used or accessible. The source bundle lists affected Linux versions and stable commits, but does not define access prerequisites, distribution package status, or whether unprivileged users can reach the vulnerable path.
Exploitation context
CISA KEV status is false in the source bundle. No cited source states active exploitation, public exploit availability, or remote attack capability. The described condition is a race during timerlat thread shutdown and restart, triggered around SIGTERM and file descriptor closure.
Researcher notes
Evidence supports a kernel use-after-free caused by timerlat shutdown/restart synchronization gaps. The source explicitly calls the patch a quick backportable fix and notes broader synchronization work would be a more complete design fix. Access requirements and exploitability are not established in the provided sources.
Mitigation direction
Update affected Linux kernels to vendor-supported builds containing the stable fixes.
Check distribution advisories for package names, fixed builds, and reboot requirements.
Restrict access to kernel tracing interfaces unless operationally required.
Monitor systems using timerlat or osnoise tracing for unusual crashes or instability.
Validation and detection
Inventory kernel versions across Linux hosts and appliances.
Identify hosts using timerlat, osnoise, or tracing workloads.
Compare installed kernels with vendor advisories and stable fix references.
Confirm patched hosts have rebooted into the fixed kernel.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2024-46845 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.