CVE-2024-44951 (GCVE-0-2024-44951)

Vulnerability from cvelistv5 – Published: 2024-09-04 18:35 – Updated: 2026-05-23 15:53
VLAI
Title
serial: sc16is7xx: fix TX fifo corruption
Summary
In the Linux kernel, the following vulnerability has been resolved: serial: sc16is7xx: fix TX fifo corruption Sometimes, when a packet is received on channel A at almost the same time as a packet is about to be transmitted on channel B, we observe with a logic analyzer that the received packet on channel A is transmitted on channel B. In other words, the Tx buffer data on channel B is corrupted with data from channel A. The problem appeared since commit 4409df5866b7 ("serial: sc16is7xx: change EFR lock to operate on each channels"), which changed the EFR locking to operate on each channel instead of chip-wise. This commit has introduced a regression, because the EFR lock is used not only to protect the EFR registers access, but also, in a very obscure and undocumented way, to protect access to the data buffer, which is shared by the Tx and Rx handlers, but also by each channel of the IC. Fix this regression first by switching to kfifo_out_linear_ptr() in sc16is7xx_handle_tx() to eliminate the need for a shared Rx/Tx buffer. Secondly, replace the chip-wise Rx buffer with a separate Rx buffer for each channel.
Severity
No CVSS data available.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 4409df5866b7ff7686ba27e449ca97a92ee063c9 , < 09cfe05e9907f3276887a20e267cc40e202f4fdd (git)
Affected: 4409df5866b7ff7686ba27e449ca97a92ee063c9 , < 133f4c00b8b2bfcacead9b81e7e8edfceb4b06c4 (git)
Affected: 4b068e55bf5ea7bab4d8a282c6a24b03e80c0b68 (git)
Affected: 9879e1bec3c0f077427dd0d258c80c63ce9babdf (git)
Affected: dbe196ca489f3833e0f9eeb86ac346194f131c91 (git)
Affected: 6.1.76 , < 6.2 (semver)
Affected: 6.6.15 , < 6.7 (semver)
Affected: 6.7.3 , < 6.8 (semver)
Create a notification for this product.
Linux Linux Affected: 6.8
Unaffected: 0 , < 6.8 (semver)
Unaffected: 6.10.5 , ≤ 6.10.* (semver)
Unaffected: 6.11 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-44951",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T17:40:19.986023Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-12T17:33:36.992Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/tty/serial/sc16is7xx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "09cfe05e9907f3276887a20e267cc40e202f4fdd",
              "status": "affected",
              "version": "4409df5866b7ff7686ba27e449ca97a92ee063c9",
              "versionType": "git"
            },
            {
              "lessThan": "133f4c00b8b2bfcacead9b81e7e8edfceb4b06c4",
              "status": "affected",
              "version": "4409df5866b7ff7686ba27e449ca97a92ee063c9",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "4b068e55bf5ea7bab4d8a282c6a24b03e80c0b68",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "9879e1bec3c0f077427dd0d258c80c63ce9babdf",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "dbe196ca489f3833e0f9eeb86ac346194f131c91",
              "versionType": "git"
            },
            {
              "lessThan": "6.2",
              "status": "affected",
              "version": "6.1.76",
              "versionType": "semver"
            },
            {
              "lessThan": "6.7",
              "status": "affected",
              "version": "6.6.15",
              "versionType": "semver"
            },
            {
              "lessThan": "6.8",
              "status": "affected",
              "version": "6.7.3",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/tty/serial/sc16is7xx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.10.*",
              "status": "unaffected",
              "version": "6.10.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.11",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10.5",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.1.76",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.7.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: sc16is7xx: fix TX fifo corruption\n\nSometimes, when a packet is received on channel A at almost the same time\nas a packet is about to be transmitted on channel B, we observe with a\nlogic analyzer that the received packet on channel A is transmitted on\nchannel B. In other words, the Tx buffer data on channel B is corrupted\nwith data from channel A.\n\nThe problem appeared since commit 4409df5866b7 (\"serial: sc16is7xx: change\nEFR lock to operate on each channels\"), which changed the EFR locking to\noperate on each channel instead of chip-wise.\n\nThis commit has introduced a regression, because the EFR lock is used not\nonly to protect the EFR registers access, but also, in a very obscure and\nundocumented way, to protect access to the data buffer, which is shared by\nthe Tx and Rx handlers, but also by each channel of the IC.\n\nFix this regression first by switching to kfifo_out_linear_ptr() in\nsc16is7xx_handle_tx() to eliminate the need for a shared Rx/Tx buffer.\n\nSecondly, replace the chip-wise Rx buffer with a separate Rx buffer for\neach channel."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T15:53:12.452Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/09cfe05e9907f3276887a20e267cc40e202f4fdd"
        },
        {
          "url": "https://git.kernel.org/stable/c/133f4c00b8b2bfcacead9b81e7e8edfceb4b06c4"
        }
      ],
      "title": "serial: sc16is7xx: fix TX fifo corruption",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-44951",
    "datePublished": "2024-09-04T18:35:51.366Z",
    "dateReserved": "2024-08-21T05:34:56.665Z",
    "dateUpdated": "2026-05-23T15:53:12.452Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-44951",
      "date": "2026-06-07",
      "epss": "0.00018",
      "percentile": "0.04734"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-44951\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-09-04T19:15:30.153\",\"lastModified\":\"2024-10-09T14:27:43.973\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nserial: sc16is7xx: fix TX fifo corruption\\n\\nSometimes, when a packet is received on channel A at almost the same time\\nas a packet is about to be transmitted on channel B, we observe with a\\nlogic analyzer that the received packet on channel A is transmitted on\\nchannel B. In other words, the Tx buffer data on channel B is corrupted\\nwith data from channel A.\\n\\nThe problem appeared since commit 4409df5866b7 (\\\"serial: sc16is7xx: change\\nEFR lock to operate on each channels\\\"), which changed the EFR locking to\\noperate on each channel instead of chip-wise.\\n\\nThis commit has introduced a regression, because the EFR lock is used not\\nonly to protect the EFR registers access, but also, in a very obscure and\\nundocumented way, to protect access to the data buffer, which is shared by\\nthe Tx and Rx handlers, but also by each channel of the IC.\\n\\nFix this regression first by switching to kfifo_out_linear_ptr() in\\nsc16is7xx_handle_tx() to eliminate the need for a shared Rx/Tx buffer.\\n\\nSecondly, replace the chip-wise Rx buffer with a separate Rx buffer for\\neach channel.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: serial: sc16is7xx: fix TX fifo democracy A veces, cuando se recibe un paquete en el canal A casi al mismo tiempo que se va a transmitir un paquete en el canal B, observamos con un analizador l\u00f3gico que el paquete recibido en el canal A se transmite en el canal B. En otras palabras, los datos del b\u00fafer de Tx en el canal B est\u00e1n da\u00f1ados con datos del canal A. El problema apareci\u00f3 desde el commit 4409df5866b7 (\\\"serial: sc16is7xx: change EFR lock to operate on each channels\\\"), que cambi\u00f3 el bloqueo de EFR para que funcione en cada canal en lugar de en todo el chip. Este commit ha introducido una regresi\u00f3n, porque el bloqueo de EFR se utiliza no solo para proteger el acceso a los registros de EFR, sino tambi\u00e9n, de una forma muy oscura y no documentada, para proteger el acceso al b\u00fafer de datos, que es compartido por los manejadores de Tx y Rx, pero tambi\u00e9n por cada canal del IC. Primero, solucione esta regresi\u00f3n cambiando a kfifo_out_linear_ptr() en sc16is7xx_handle_tx() para eliminar la necesidad de un b\u00fafer Rx/Tx compartido. En segundo lugar, reemplace el b\u00fafer Rx por chip con un b\u00fafer Rx separado para cada canal.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-667\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.1.76\",\"versionEndExcluding\":\"6.2\",\"matchCriteriaId\":\"9FE19A5C-D7A4-4995-BEE0-2B2E5B46EAC6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.6.15\",\"versionEndExcluding\":\"6.7\",\"matchCriteriaId\":\"61253639-4FB4-4953-A092-ED155EAB1548\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7.3\",\"versionEndExcluding\":\"6.8\",\"matchCriteriaId\":\"20F5F360-294D-4182-AC38-2F032FA57B3C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.8\",\"versionEndExcluding\":\"6.10.5\",\"matchCriteriaId\":\"48E239A0-A959-4FAB-8475-D045FED3DDA5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"8B3CE743-2126-47A3-8B7C-822B502CF119\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"4DEB27E7-30AA-45CC-8934-B89263EF3551\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/09cfe05e9907f3276887a20e267cc40e202f4fdd\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/133f4c00b8b2bfcacead9b81e7e8edfceb4b06c4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-44951\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-10T17:40:19.986023Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-11T12:42:27.672Z\"}}], \"cna\": {\"title\": \"serial: sc16is7xx: fix TX fifo corruption\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"4409df5866b7ff7686ba27e449ca97a92ee063c9\", \"lessThan\": \"09cfe05e9907f3276887a20e267cc40e202f4fdd\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"4409df5866b7ff7686ba27e449ca97a92ee063c9\", \"lessThan\": \"133f4c00b8b2bfcacead9b81e7e8edfceb4b06c4\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"4b068e55bf5ea7bab4d8a282c6a24b03e80c0b68\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"9879e1bec3c0f077427dd0d258c80c63ce9babdf\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"dbe196ca489f3833e0f9eeb86ac346194f131c91\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"6.1.76\", \"lessThan\": \"6.2\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"6.6.15\", \"lessThan\": \"6.7\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"6.7.3\", \"lessThan\": \"6.8\", \"versionType\": \"semver\"}], \"programFiles\": [\"drivers/tty/serial/sc16is7xx.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.8\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"6.8\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"6.10.5\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.10.*\"}, {\"status\": \"unaffected\", \"version\": \"6.11\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"drivers/tty/serial/sc16is7xx.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/09cfe05e9907f3276887a20e267cc40e202f4fdd\"}, {\"url\": \"https://git.kernel.org/stable/c/133f4c00b8b2bfcacead9b81e7e8edfceb4b06c4\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nserial: sc16is7xx: fix TX fifo corruption\\n\\nSometimes, when a packet is received on channel A at almost the same time\\nas a packet is about to be transmitted on channel B, we observe with a\\nlogic analyzer that the received packet on channel A is transmitted on\\nchannel B. In other words, the Tx buffer data on channel B is corrupted\\nwith data from channel A.\\n\\nThe problem appeared since commit 4409df5866b7 (\\\"serial: sc16is7xx: change\\nEFR lock to operate on each channels\\\"), which changed the EFR locking to\\noperate on each channel instead of chip-wise.\\n\\nThis commit has introduced a regression, because the EFR lock is used not\\nonly to protect the EFR registers access, but also, in a very obscure and\\nundocumented way, to protect access to the data buffer, which is shared by\\nthe Tx and Rx handlers, but also by each channel of the IC.\\n\\nFix this regression first by switching to kfifo_out_linear_ptr() in\\nsc16is7xx_handle_tx() to eliminate the need for a shared Rx/Tx buffer.\\n\\nSecondly, replace the chip-wise Rx buffer with a separate Rx buffer for\\neach channel.\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.10.5\", \"versionStartIncluding\": \"6.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.11\", \"versionStartIncluding\": \"6.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"6.1.76\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"6.6.15\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"6.7.3\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2026-05-23T15:53:12.452Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-44951\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-23T15:53:12.452Z\", \"dateReserved\": \"2024-08-21T05:34:56.665Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-09-04T18:35:51.366Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.