CVE-2024-26605: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: PCI/ASPM: Fix deadlock when enabling ASPM A last minute revert in 6.7-final introduced a potential deadlock when enabling ASPM during probe of Qualcomm PCIe controllers as reported by lockdep: ============================================ WARNING: possible recursive locking detected 6.7.0 #40 Not tainted -------------------------------------------- kworker/u16:5/90 is trying to acquire lock: ffffacfa78ced000 (pci_bus_sem){++++}-{3:3}, at: pcie_aspm_pm_state_change+0x58/0xdc but task is already holding lock: ffffacfa78ced000 (pci_bus_sem){++++}-{3:3}, at: pci_walk_bus+0x34/0xbc other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(pci_bus_sem); lock(pci_bus_sem); *** DEADLOCK *** Call trace: print_deadlock_bug+0x25c/0x348 __lock_acquire+0x10a4/0x2064 lock_acquire+0x1e8/0x318 down_read+0x60/0x184 pcie_aspm_pm_state_change+0x58/0xdc pci_set_full_power_state+0xa8/0x114 pci_set_power_state+0xc4/0x120 qcom_pcie_enable_aspm+0x1c/0x3c [pcie_qcom] pci_walk_bus+0x64/0xbc qcom_pcie_host_post_init_2_7_0+0x28/0x34 [pcie_qcom] The deadlock can easily be reproduced on machines like the Lenovo ThinkPad X13s by adding a delay to increase the race window during asynchronous probe where another thread can take a write lock. Add a new pci_set_power_state_locked() and associated helper functions that can be called with the PCI bus semaphore held to avoid taking the read lock twice.
AI Analysis
Technical Summary
CVE-2024-26605 is a vulnerability identified in the Linux kernel related to the PCI Express Active State Power Management (ASPM) feature, specifically when enabling ASPM on Qualcomm PCIe controllers. The issue was introduced by a last-minute revert in the Linux kernel version 6.7-final, which caused a potential deadlock scenario during the asynchronous probe phase of PCIe device initialization. The deadlock arises due to recursive locking of the pci_bus_sem semaphore: a thread attempts to acquire a read lock on pci_bus_sem while already holding a write lock on the same semaphore. This unsafe locking pattern leads to a deadlock condition, as demonstrated by kernel lock dependency (lockdep) warnings and call traces involving functions such as pcie_aspm_pm_state_change, pci_set_power_state, and qcom_pcie_enable_aspm. The deadlock can be reliably reproduced on hardware like the Lenovo ThinkPad X13s by artificially increasing the race window during asynchronous probing. The root cause is the lack of a dedicated function to handle power state changes while the PCI bus semaphore is already held, which was addressed by introducing pci_set_power_state_locked() and related helper functions to avoid double locking. This vulnerability affects multiple Linux kernel commits identified by their hashes, indicating it impacts recent kernel versions prior to the fix. No known exploits are reported in the wild at this time.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running affected Linux kernel versions on hardware utilizing Qualcomm PCIe controllers, including laptops and servers. The deadlock can cause system hangs or kernel stalls during device initialization or power state transitions, potentially leading to denial of service conditions. This can disrupt critical services, especially in environments relying on Linux-based infrastructure for networking, cloud computing, or embedded systems. The impact on confidentiality and integrity is minimal as the vulnerability is a deadlock rather than a code execution or privilege escalation flaw. However, availability is significantly affected since the deadlock can freeze kernel operations related to PCIe device management. Organizations with high availability requirements or those operating in sectors like finance, healthcare, or industrial control in Europe could experience operational disruptions. Additionally, the vulnerability may complicate system maintenance and updates, increasing downtime risk.
Mitigation Recommendations
European organizations should promptly update their Linux kernels to versions that include the fix for CVE-2024-26605. Specifically, they should apply patches that introduce pci_set_power_state_locked() and related helper functions to prevent recursive locking. For systems where immediate kernel upgrades are not feasible, administrators can consider disabling ASPM on Qualcomm PCIe controllers as a temporary workaround, though this may impact power efficiency. Monitoring kernel logs for lockdep warnings related to pci_bus_sem can help detect attempts to trigger the deadlock. Organizations should also test kernel updates in staging environments with hardware representative of production to ensure stability. For custom or embedded Linux distributions, maintainers must integrate the patch into their kernel builds. Finally, coordinating with hardware vendors to confirm compatibility and support for patched kernels is advisable to avoid regressions.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy
CVE-2024-26605: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: PCI/ASPM: Fix deadlock when enabling ASPM A last minute revert in 6.7-final introduced a potential deadlock when enabling ASPM during probe of Qualcomm PCIe controllers as reported by lockdep: ============================================ WARNING: possible recursive locking detected 6.7.0 #40 Not tainted -------------------------------------------- kworker/u16:5/90 is trying to acquire lock: ffffacfa78ced000 (pci_bus_sem){++++}-{3:3}, at: pcie_aspm_pm_state_change+0x58/0xdc but task is already holding lock: ffffacfa78ced000 (pci_bus_sem){++++}-{3:3}, at: pci_walk_bus+0x34/0xbc other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(pci_bus_sem); lock(pci_bus_sem); *** DEADLOCK *** Call trace: print_deadlock_bug+0x25c/0x348 __lock_acquire+0x10a4/0x2064 lock_acquire+0x1e8/0x318 down_read+0x60/0x184 pcie_aspm_pm_state_change+0x58/0xdc pci_set_full_power_state+0xa8/0x114 pci_set_power_state+0xc4/0x120 qcom_pcie_enable_aspm+0x1c/0x3c [pcie_qcom] pci_walk_bus+0x64/0xbc qcom_pcie_host_post_init_2_7_0+0x28/0x34 [pcie_qcom] The deadlock can easily be reproduced on machines like the Lenovo ThinkPad X13s by adding a delay to increase the race window during asynchronous probe where another thread can take a write lock. Add a new pci_set_power_state_locked() and associated helper functions that can be called with the PCI bus semaphore held to avoid taking the read lock twice.
AI-Powered Analysis
Technical Analysis
CVE-2024-26605 is a vulnerability identified in the Linux kernel related to the PCI Express Active State Power Management (ASPM) feature, specifically when enabling ASPM on Qualcomm PCIe controllers. The issue was introduced by a last-minute revert in the Linux kernel version 6.7-final, which caused a potential deadlock scenario during the asynchronous probe phase of PCIe device initialization. The deadlock arises due to recursive locking of the pci_bus_sem semaphore: a thread attempts to acquire a read lock on pci_bus_sem while already holding a write lock on the same semaphore. This unsafe locking pattern leads to a deadlock condition, as demonstrated by kernel lock dependency (lockdep) warnings and call traces involving functions such as pcie_aspm_pm_state_change, pci_set_power_state, and qcom_pcie_enable_aspm. The deadlock can be reliably reproduced on hardware like the Lenovo ThinkPad X13s by artificially increasing the race window during asynchronous probing. The root cause is the lack of a dedicated function to handle power state changes while the PCI bus semaphore is already held, which was addressed by introducing pci_set_power_state_locked() and related helper functions to avoid double locking. This vulnerability affects multiple Linux kernel commits identified by their hashes, indicating it impacts recent kernel versions prior to the fix. No known exploits are reported in the wild at this time.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running affected Linux kernel versions on hardware utilizing Qualcomm PCIe controllers, including laptops and servers. The deadlock can cause system hangs or kernel stalls during device initialization or power state transitions, potentially leading to denial of service conditions. This can disrupt critical services, especially in environments relying on Linux-based infrastructure for networking, cloud computing, or embedded systems. The impact on confidentiality and integrity is minimal as the vulnerability is a deadlock rather than a code execution or privilege escalation flaw. However, availability is significantly affected since the deadlock can freeze kernel operations related to PCIe device management. Organizations with high availability requirements or those operating in sectors like finance, healthcare, or industrial control in Europe could experience operational disruptions. Additionally, the vulnerability may complicate system maintenance and updates, increasing downtime risk.
Mitigation Recommendations
European organizations should promptly update their Linux kernels to versions that include the fix for CVE-2024-26605. Specifically, they should apply patches that introduce pci_set_power_state_locked() and related helper functions to prevent recursive locking. For systems where immediate kernel upgrades are not feasible, administrators can consider disabling ASPM on Qualcomm PCIe controllers as a temporary workaround, though this may impact power efficiency. Monitoring kernel logs for lockdep warnings related to pci_bus_sem can help detect attempts to trigger the deadlock. Organizations should also test kernel updates in staging environments with hardware representative of production to ensure stability. For custom or embedded Linux distributions, maintainers must integrate the patch into their kernel builds. Finally, coordinating with hardware vendors to confirm compatibility and support for patched kernels is advisable to avoid regressions.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.130Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9821c4522896dcbdd9d4
Added to database: 5/21/2025, 9:08:49 AM
Last enriched: 6/28/2025, 2:24:28 AM
Last updated: 8/8/2025, 6:49:54 PM
Views: 14
Related Threats
CVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9087: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.