Cyber Resilience

CVE-2024-56766

High

Published: 06 January 2025

Published
06 January 2025
Modified
03 November 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 4.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-56766 is a high-severity Double Free (CWE-415) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-56766 is a double free vulnerability (CWE-415) in the Linux kernel's MTD raw NAND subsystem, specifically within the atmel_pmecc_create_user() function. The issue arises because the "user" pointer allocation was changed from kzalloc() to devm_kzalloc(), but the code still calls kfree() on it, resulting in a double free. It affects Linux kernel versions prior to the application of the relevant stable patches and has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of user interaction requirements. Successful exploitation could lead to high impacts on confidentiality, integrity, and availability, potentially allowing arbitrary code execution, data corruption, or system crashes within the kernel context.

Mitigation is provided through upstream kernel patches available in the following stable commit references: https://git.kernel.org/stable/c/1562871ef613fa9492aa0310933eff785166a90e, https://git.kernel.org/stable/c/3d825a241e65f7e3072978729e79d735ec40b80e, https://git.kernel.org/stable/c/6ea15205d7e2b811fbbdf79783f686f58abfb4b7, https://git.kernel.org/stable/c/ca9818554b0f33e87f38e4bfa2dac056692d46cc, and https://git.kernel.org/stable/c/d2f090ea57f8d6587e09d4066f740a8617767b3d. Security practitioners should update affected Linux kernels to incorporate these fixes.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: fix double free in atmel_pmecc_create_user() The "user" pointer was converted from being allocated with kzalloc() to being allocated by devm_kzalloc(). Calling kfree(user) will lead to a double free.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Double-free kernel vulnerability in Linux MTD NAND subsystem enables local low-privileged attacker to achieve arbitrary code execution and privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23387Same product: Linux Linux Kernel
CVE-2024-57980Same product: Linux Linux Kernel
CVE-2026-31489Same product: Linux Linux Kernel
CVE-2026-23162Same product: Linux Linux Kernel
CVE-2026-23068Same product: Linux Linux Kernel
CVE-2026-31475Same product: Linux Linux Kernel
CVE-2026-31468Same product: Linux Linux Kernel
CVE-2024-58055Same product: Linux Linux Kernel
CVE-2026-31471Same product: Linux Linux Kernel
CVE-2026-23408Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.13 · 4.19.325 — 4.20 · 5.4.287 — 5.5 · 5.10.231 — 5.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 mandates timely identification, reporting, and patching of flaws like this double free vulnerability in the Linux kernel MTD subsystem.

detect

RA-5 requires vulnerability scanning and monitoring to identify systems running kernel versions affected by CVE-2024-56766.

prevent

SI-16 enforces memory protection mechanisms such as kernel address space randomization that mitigate exploitation of double free vulnerabilities.

References