CVE-2024-58076: clk: qcom: gcc-sm6350: Add missing parent_map for two clocks
In the Linux kernel, the following vulnerability has been resolved:
clk: qcom: gcc-sm6350: Add missing parent_map for two clocks
If a clk_rcg2 has a parent, it should also have parent_map defined,
otherwise we'll get a NULL pointer dereference when calling clk_set_rate
like the following:
[ 3.388105] Call trace:
[ 3.390664] qcom_find_src_index+0x3c/0x70 (P)
[ 3.395301] qcom_find_src_index+0x1c/0x70 (L)
[ 3.399934] _freq_tbl_determine_rate+0x48/0x100
[ 3.404753] clk_rcg2_determine_rate+0x1c/0x28
[ 3.409387] clk_core_determine_round_nolock+0x58/0xe4
[ 3.421414] clk_core_round_rate_nolock+0x48/0xfc
[ 3.432974] clk_core_round_rate_nolock+0xd0/0xfc
[ 3.444483] clk_core_set_rate_nolock+0x8c/0x300
[ 3.455886] clk_set_rate+0x38/0x14c
Add the parent_map property for two clocks where it's missing and also
un-inline the parent_data as well to keep the matching parent_map and
parent_data together.
Security readout for executives and security teams
Plain-English summary
This is a Linux kernel availability bug in Qualcomm SM6350 clock handling. A missing clock parent mapping can trigger a NULL pointer dereference when a clock rate is changed, potentially crashing affected systems. It does not indicate data theft or privilege escalation in the supplied sources.
Executive priority
Treat as a targeted availability risk. It is not a broad internet-facing emergency from the supplied evidence, but SM6350 device fleets should patch during the next appropriate maintenance window, sooner where uptime is critical.
Technical view
The Qualcomm gcc-sm6350 clock driver defines clk_rcg2 parents without matching parent_map entries for two clocks. When clk_set_rate reaches qcom_find_src_index through rate determination, the missing mapping can dereference NULL and crash the kernel. The CVE maps this to CWE-476 with CVSS 5.5, local, low-privilege, availability-only impact.
Likely exposure
Exposure appears limited to Linux kernels running the Qualcomm SM6350 GCC clock driver. This is most relevant to devices or custom kernels for SM6350-based hardware. General servers without this Qualcomm clock path are unlikely to be exposed based on the supplied sources.
Exploitation context
The bundle does not cite active exploitation, and KEV is false. The CVSS vector requires local access with low privileges and no user interaction. The practical impact is denial of service through kernel crash, not confidentiality or integrity compromise.
Researcher notes
Evidence supports a kernel NULL pointer dereference caused by missing parent_map definitions. The source bundle provides fix commits and one Debian LTS reference, but does not provide public exploit evidence, affected distro package granularity beyond Debian, or device-specific exposure lists.
Mitigation direction
Apply the relevant Linux stable kernel update containing the referenced fixes.
Check Debian LTS guidance if using Debian-packaged kernels.
Prioritize SM6350-based devices and custom kernel builds first.
If no vendor package is available, track vendor kernel advisories before changing production kernels.
Validation and detection
Inventory Linux kernel versions and hardware using Qualcomm SM6350 support.
Confirm whether the gcc-sm6350 clock driver is built or loaded.
Compare kernel source or package changelog against the referenced stable commits.
Review crash logs for clk_set_rate, qcom_find_src_index, or clk_rcg2 traces.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-476: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-476 · source CWE mapping
NULL Pointer Dereference
NULL Pointer Dereference represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.