CVE-2024-57798
Published: 11 January 2025
Summary
CVE-2024-57798 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the race condition causing use-after-free and NULL dereference by applying specific Linux kernel patches.
Implements kernel memory protections that mitigate exploitation of the use-after-free vulnerability in the DRM DP MST subsystem.
Enforces secure configuration settings for the Linux kernel to enable hardening features that reduce the impact of race conditions and memory errors.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF/NULL dereference enables privilege escalation to arbitrary code execution in kernel context.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req() While receiving an MST up request message from one thread in drm_dp_mst_handle_up_req(), the MST topology could be removed from another thread via…
more
drm_dp_mst_topology_mgr_set_mst(false), freeing mst_primary and setting drm_dp_mst_topology_mgr::mst_primary to NULL. This could lead to a NULL deref/use-after-free of mst_primary in drm_dp_mst_handle_up_req(). Avoid the above by holding a reference for mst_primary in drm_dp_mst_handle_up_req() while it's used. v2: Fix kfreeing the request if getting an mst_primary reference fails.
Deeper analysisAI
CVE-2024-57798 is a use-after-free and NULL pointer dereference vulnerability in the Linux kernel's Direct Rendering Manager (DRM) DisplayPort Multi-Stream Transport (DP MST) subsystem. The issue occurs in the drm_dp_mst_handle_up_req() function, where a race condition allows one thread to process an MST up request message while another thread removes the MST topology via drm_dp_mst_topology_mgr_set_mst(false). This frees the mst_primary structure and sets drm_dp_mst_topology_mgr::mst_primary to NULL, potentially leading to a NULL dereference or use-after-free when accessing mst_primary.
A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of user interaction requirements (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Successful exploitation could result in high-impact confidentiality, integrity, and availability violations, such as kernel crashes, data corruption, or arbitrary code execution through the use-after-free condition (CWE-416) or NULL pointer dereference (CWE-476).
Mitigation involves applying kernel patches that ensure a reference to mst_primary is held during its use in drm_dp_mst_handle_up_req(), with an additional fix in version 2 to handle kfreeing of the request if reference acquisition fails. Relevant stable kernel commits include 9735d40f5fde, ce55818b2d3a, e54b00086f74, and f61b2e5e7821, available via kernel.org. Debian LTS users should refer to the announcement at lists.debian.org for updated packages.
Details
- CWE(s)