CVE-2024-46848: perf/x86/intel: Limit the period on Haswell
In the Linux kernel, the following vulnerability has been resolved:
perf/x86/intel: Limit the period on Haswell
Running the ltp test cve-2015-3290 concurrently reports the following
warnings.
perfevents: irq loop stuck!
WARNING: CPU: 31 PID: 32438 at arch/x86/events/intel/core.c:3174
intel_pmu_handle_irq+0x285/0x370
Call Trace:
<NMI>
? __warn+0xa4/0x220
? intel_pmu_handle_irq+0x285/0x370
? __report_bug+0x123/0x130
? intel_pmu_handle_irq+0x285/0x370
? __report_bug+0x123/0x130
? intel_pmu_handle_irq+0x285/0x370
? report_bug+0x3e/0xa0
? handle_bug+0x3c/0x70
? exc_invalid_op+0x18/0x50
? asm_exc_invalid_op+0x1a/0x20
? irq_work_claim+0x1e/0x40
? intel_pmu_handle_irq+0x285/0x370
perf_event_nmi_handler+0x3d/0x60
nmi_handle+0x104/0x330
Thanks to Thomas Gleixner's analysis, the issue is caused by the low
initial period (1) of the frequency estimation algorithm, which triggers
the defects of the HW, specifically erratum HSW11 and HSW143. (For the
details, please refer https://lore.kernel.org/lkml/87plq9l5d2.ffs@tglx/)
The HSW11 requires a period larger than 100 for the INST_RETIRED.ALL
event, but the initial period in the freq mode is 1. The erratum is the
same as the BDM11, which has been supported in the kernel. A minimum
period of 128 is enforced as well on HSW.
HSW143 is regarding that the fixed counter 1 may overcount 32 with the
Hyper-Threading is enabled. However, based on the test, the hardware
has more issues than it tells. Besides the fixed counter 1, the message
'interrupt took too long' can be observed on any counter which was armed
with a period < 32 and two events expired in the same NMI. A minimum
period of 32 is enforced for the rest of the events.
The recommended workaround code of the HSW143 is not implemented.
Because it only addresses the issue for the fixed counter. It brings
extra overhead through extra MSR writing. No related overcounting issue
has been reported so far.
Security readout for executives and security teams
Plain-English summary
This Linux kernel issue affects Intel Haswell performance monitoring. Under certain perf-event timing conditions, hardware errata can trigger stuck interrupt-loop warnings. The public record shows a kernel fix, but no CVSS score, CWE, or confirmed active exploitation.
Executive priority
Treat as a targeted kernel maintenance item, not an emergency based on current evidence. Prioritize patching on Haswell Linux systems, especially shared or performance-monitoring-heavy hosts.
Technical view
The kernel perf/x86/intel code used very small initial periods in frequency mode. On Haswell, this interacts with errata HSW11 and HSW143. The fix enforces minimum PMU event periods: 128 for INST_RETIRED.ALL and 32 for other events.
Likely exposure
Exposure appears limited to Linux systems running affected kernel versions on Intel Haswell-class hardware where perf events or similar PMU activity can be exercised. The provided data does not establish remote exposure.
Exploitation context
KEV is false and the bundle cites no public exploitation. The issue was observed while running an LTP regression test for CVE-2015-3290 concurrently, producing kernel warnings in NMI/perf handling.
Researcher notes
The record ties the defect to Haswell PMU errata and perf frequency estimation periods. The recommended HSW143 workaround was not implemented because it targets only fixed counter 1 and adds MSR overhead.
Mitigation direction
Apply vendor kernel updates containing the referenced stable fixes.
Prioritize Haswell systems where perf events are enabled or used.
Track Debian LTS guidance if running affected Debian kernels.
If updates are unavailable, follow vendor guidance for temporary controls.
Validation and detection
Inventory Linux kernel versions and Intel Haswell hardware exposure.
Check vendor changelogs for CVE-2024-46848 or the referenced stable commits.
Review kernel logs for perf-event NMI warnings described in the CVE.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2024-46848 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.