CVE-2024-58007
Published: 27 February 2025
Summary
CVE-2024-58007 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 1.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the out-of-bounds read vulnerability by applying the kernel patch that replaces offsetof() with offsetofend() for proper bounds checking of the serial_num field in SMEM.
Requires the kernel to validate the SMEM item_size input before accessing the serial_num field, preventing the out-of-bounds read triggered by SOCINFO_VERSION(0,8) on MSM8916 devices.
Enforces configuration settings to restrict read access to the vulnerable /sys/devices/soc0/serial_number sysfs entry, blocking low-privilege local attackers from triggering the flaw.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OOB read via local sysfs access directly enables unauthorized data retrieval from kernel memory (T1005) and system crash via invalid memory access (T1499.004).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: soc: qcom: socinfo: Avoid out of bounds read of serial number On MSM8916 devices, the serial number exposed in sysfs is constant and does not change across individual devices. It's…
more
always: db410c:/sys/devices/soc0$ cat serial_number 2644893864 The firmware used on MSM8916 exposes SOCINFO_VERSION(0, 8), which does not have support for the serial_num field in the socinfo struct. There is an existing check to avoid exposing the serial number in that case, but it's not correct: When checking the item_size returned by SMEM, we need to make sure the *end* of the serial_num is within bounds, instead of comparing with the *start* offset. The serial_number currently exposed on MSM8916 devices is just an out of bounds read of whatever comes after the socinfo struct in SMEM. Fix this by changing offsetof() to offsetofend(), so that the size of the field is also taken into account.
Deeper analysisAI
CVE-2024-58007 is an out-of-bounds read vulnerability in the Linux kernel's Qualcomm socinfo driver, specifically affecting MSM8916 devices. The issue arises when reading the serial number exposed via sysfs, as the firmware on these devices reports SOCINFO_VERSION(0,8), which lacks support for the serial_num field in the socinfo struct stored in SMEM. An existing bounds check incorrectly uses the start offset of the serial_num field rather than its end, resulting in an out-of-bounds read of memory following the socinfo struct. This has a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H) and is classified under CWE-125 (Out-of-bounds Read).
A local attacker with low privileges can exploit this vulnerability by accessing the serial_number sysfs entry under /sys/devices/soc0. Successful exploitation allows reading arbitrary data beyond the socinfo struct in SMEM, potentially disclosing sensitive information (high confidentiality impact), and may trigger a kernel crash due to the invalid memory access (high availability impact). No user interaction is required, and the attack has low complexity.
The provided references point to stable kernel patch commits that resolve the issue by replacing offsetof() with offsetofend() in the bounds check, ensuring the entire serial_num field fits within the reported item_size from SMEM. Security practitioners should apply these upstream fixes to affected Linux kernel versions supporting MSM8916 devices to mitigate the vulnerability.
Details
- CWE(s)