Security readout for executives and security teams
Plain-English summary
This Linux kernel bug can crash a system when the nvkm GSP message queue is parsed incorrectly. The public record describes a kernel panic from a NULL pointer dereference, which primarily points to availability risk rather than data theft. No source provided indicates active exploitation.
Executive priority
Prioritize patching on Linux hosts where GPU availability or workload uptime matters. Broader emergency response is not supported by the provided evidence because exploitation and severity scoring are not documented.
Technical view
The nvkm GSP handler advanced its read pointer using only RPC header and body size, not the full GSP event message. A two-page message could desynchronize parsing, produce an invalid copy length, and trigger a NULL pointer dereference in r535_gsp_msg_recv.
Likely exposure
Exposure appears limited to Linux systems running affected kernel versions with the nvkm GSP code path in use. The CVE record lists Linux as affected and references stable kernel fixes. Downstream distribution package status is not provided in the source bundle.
Exploitation context
The source bundle provides a crash trace and kernel fix references, but no public exploit, no CVSS score, and no KEV listing. Treat this as a reliability and denial-of-service concern unless additional vendor intelligence changes that assessment.
Researcher notes
Key evidence is the upstream Linux resolution and crash trace. The root cause is read-pointer advancement mismatch for multi-page GSP messages. Affected-version details are sparse and should be mapped carefully against distro kernels and backports.
Mitigation direction
Apply Linux kernel updates containing the referenced stable fixes.
Use distribution advisories to confirm fixed package versions.
Reboot systems after kernel update so patched code is active.
If packages are unavailable, check vendor guidance before changing driver behavior.
Validation and detection
Inventory Linux kernel versions across systems using nvkm.
Check whether running kernels include the referenced stable commits.
Review kernel logs for nvkm gsp message queue panics.
Regression test GPU-related workloads after patching.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2024-58019 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
4Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Feb 27, 2025, 02:12 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.