CVE-2024-26615: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net/smc: fix illegal rmb_desc access in SMC-D connection dump A crash was found when dumping SMC-D connections. It can be reproduced by following steps: - run nginx/wrk test: smc_run nginx smc_run wrk -t 16 -c 1000 -d <duration> -H 'Connection: Close' <URL> - continuously dump SMC-D connections in parallel: watch -n 1 'smcss -D' BUG: kernel NULL pointer dereference, address: 0000000000000030 CPU: 2 PID: 7204 Comm: smcss Kdump: loaded Tainted: G E 6.7.0+ #55 RIP: 0010:__smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag] Call Trace: <TASK> ? __die+0x24/0x70 ? page_fault_oops+0x66/0x150 ? exc_page_fault+0x69/0x140 ? asm_exc_page_fault+0x26/0x30 ? __smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag] ? __kmalloc_node_track_caller+0x35d/0x430 ? __alloc_skb+0x77/0x170 smc_diag_dump_proto+0xd0/0xf0 [smc_diag] smc_diag_dump+0x26/0x60 [smc_diag] netlink_dump+0x19f/0x320 __netlink_dump_start+0x1dc/0x300 smc_diag_handler_dump+0x6a/0x80 [smc_diag] ? __pfx_smc_diag_dump+0x10/0x10 [smc_diag] sock_diag_rcv_msg+0x121/0x140 ? __pfx_sock_diag_rcv_msg+0x10/0x10 netlink_rcv_skb+0x5a/0x110 sock_diag_rcv+0x28/0x40 netlink_unicast+0x22a/0x330 netlink_sendmsg+0x1f8/0x420 __sock_sendmsg+0xb0/0xc0 ____sys_sendmsg+0x24e/0x300 ? copy_msghdr_from_user+0x62/0x80 ___sys_sendmsg+0x7c/0xd0 ? __do_fault+0x34/0x160 ? do_read_fault+0x5f/0x100 ? do_fault+0xb0/0x110 ? __handle_mm_fault+0x2b0/0x6c0 __sys_sendmsg+0x4d/0x80 do_syscall_64+0x69/0x180 entry_SYSCALL_64_after_hwframe+0x6e/0x76 It is possible that the connection is in process of being established when we dump it. Assumed that the connection has been registered in a link group by smc_conn_create() but the rmb_desc has not yet been initialized by smc_buf_create(), thus causing the illegal access to conn->rmb_desc. So fix it by checking before dump.
AI Analysis
Technical Summary
CVE-2024-26615 is a vulnerability identified in the Linux kernel's SMC-D (Shared Memory Communications - Direct) subsystem, specifically within the net/smc diagnostic code responsible for dumping SMC-D connection information. The flaw arises due to an illegal access of the rmb_desc pointer during connection dumps. The root cause is a race condition where a connection is in the process of being established: the connection is registered in a link group by smc_conn_create(), but the rmb_desc member has not yet been initialized by smc_buf_create(). When the diagnostic dump function attempts to access this uninitialized pointer, it results in a NULL pointer dereference, causing a kernel crash (BUG). This can be reproduced by running high-load network tests using nginx and wrk tools while concurrently dumping SMC-D connections with the smcss utility. The crash occurs in the __smc_diag_dump function, leading to a kernel panic or oops, which impacts system stability and availability. The vulnerability does not appear to have known exploits in the wild yet, and no CVSS score has been assigned. The fix involves adding a check to ensure the rmb_desc pointer is valid before accessing it during the dump process, preventing the illegal memory access and subsequent crash.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with SMC-D support enabled, which is typically found in high-performance computing, data center, and enterprise environments that utilize Shared Memory Communications for optimized network performance. The impact is a potential denial of service (DoS) caused by kernel crashes when diagnostic dumps are performed concurrently with connection establishment under load. This could disrupt critical services, especially in environments relying on Linux servers for web hosting, application delivery, or network infrastructure. While the vulnerability does not directly lead to privilege escalation or data leakage, the resulting instability could cause service outages, impacting business continuity and operational reliability. Organizations with automated monitoring or diagnostic tools that frequently dump SMC-D connections are at higher risk of triggering this issue. Given the Linux kernel's widespread use across European industries, including finance, telecommunications, and government sectors, the vulnerability could affect a broad range of critical systems if unpatched.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched. Since the issue stems from a race condition in the SMC-D diagnostic code, applying the official kernel patch that adds validation checks before accessing rmb_desc is essential. In environments where immediate patching is not feasible, organizations should limit or avoid running concurrent SMC-D connection dumps, especially under high network load conditions, to reduce the likelihood of triggering the crash. Monitoring and alerting for kernel oops or crashes related to smc_diag can help detect attempts to exploit or inadvertently trigger the vulnerability. Additionally, auditing the use of SMC-D in the infrastructure and disabling it if not required can mitigate exposure. For critical systems, implementing kernel live patching solutions may provide a rapid remediation path without requiring full system reboots. Finally, organizations should review their incident response plans to handle potential DoS scenarios caused by kernel crashes.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2024-26615: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net/smc: fix illegal rmb_desc access in SMC-D connection dump A crash was found when dumping SMC-D connections. It can be reproduced by following steps: - run nginx/wrk test: smc_run nginx smc_run wrk -t 16 -c 1000 -d <duration> -H 'Connection: Close' <URL> - continuously dump SMC-D connections in parallel: watch -n 1 'smcss -D' BUG: kernel NULL pointer dereference, address: 0000000000000030 CPU: 2 PID: 7204 Comm: smcss Kdump: loaded Tainted: G E 6.7.0+ #55 RIP: 0010:__smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag] Call Trace: <TASK> ? __die+0x24/0x70 ? page_fault_oops+0x66/0x150 ? exc_page_fault+0x69/0x140 ? asm_exc_page_fault+0x26/0x30 ? __smc_diag_dump.constprop.0+0x5e5/0x620 [smc_diag] ? __kmalloc_node_track_caller+0x35d/0x430 ? __alloc_skb+0x77/0x170 smc_diag_dump_proto+0xd0/0xf0 [smc_diag] smc_diag_dump+0x26/0x60 [smc_diag] netlink_dump+0x19f/0x320 __netlink_dump_start+0x1dc/0x300 smc_diag_handler_dump+0x6a/0x80 [smc_diag] ? __pfx_smc_diag_dump+0x10/0x10 [smc_diag] sock_diag_rcv_msg+0x121/0x140 ? __pfx_sock_diag_rcv_msg+0x10/0x10 netlink_rcv_skb+0x5a/0x110 sock_diag_rcv+0x28/0x40 netlink_unicast+0x22a/0x330 netlink_sendmsg+0x1f8/0x420 __sock_sendmsg+0xb0/0xc0 ____sys_sendmsg+0x24e/0x300 ? copy_msghdr_from_user+0x62/0x80 ___sys_sendmsg+0x7c/0xd0 ? __do_fault+0x34/0x160 ? do_read_fault+0x5f/0x100 ? do_fault+0xb0/0x110 ? __handle_mm_fault+0x2b0/0x6c0 __sys_sendmsg+0x4d/0x80 do_syscall_64+0x69/0x180 entry_SYSCALL_64_after_hwframe+0x6e/0x76 It is possible that the connection is in process of being established when we dump it. Assumed that the connection has been registered in a link group by smc_conn_create() but the rmb_desc has not yet been initialized by smc_buf_create(), thus causing the illegal access to conn->rmb_desc. So fix it by checking before dump.
AI-Powered Analysis
Technical Analysis
CVE-2024-26615 is a vulnerability identified in the Linux kernel's SMC-D (Shared Memory Communications - Direct) subsystem, specifically within the net/smc diagnostic code responsible for dumping SMC-D connection information. The flaw arises due to an illegal access of the rmb_desc pointer during connection dumps. The root cause is a race condition where a connection is in the process of being established: the connection is registered in a link group by smc_conn_create(), but the rmb_desc member has not yet been initialized by smc_buf_create(). When the diagnostic dump function attempts to access this uninitialized pointer, it results in a NULL pointer dereference, causing a kernel crash (BUG). This can be reproduced by running high-load network tests using nginx and wrk tools while concurrently dumping SMC-D connections with the smcss utility. The crash occurs in the __smc_diag_dump function, leading to a kernel panic or oops, which impacts system stability and availability. The vulnerability does not appear to have known exploits in the wild yet, and no CVSS score has been assigned. The fix involves adding a check to ensure the rmb_desc pointer is valid before accessing it during the dump process, preventing the illegal memory access and subsequent crash.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with SMC-D support enabled, which is typically found in high-performance computing, data center, and enterprise environments that utilize Shared Memory Communications for optimized network performance. The impact is a potential denial of service (DoS) caused by kernel crashes when diagnostic dumps are performed concurrently with connection establishment under load. This could disrupt critical services, especially in environments relying on Linux servers for web hosting, application delivery, or network infrastructure. While the vulnerability does not directly lead to privilege escalation or data leakage, the resulting instability could cause service outages, impacting business continuity and operational reliability. Organizations with automated monitoring or diagnostic tools that frequently dump SMC-D connections are at higher risk of triggering this issue. Given the Linux kernel's widespread use across European industries, including finance, telecommunications, and government sectors, the vulnerability could affect a broad range of critical systems if unpatched.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched. Since the issue stems from a race condition in the SMC-D diagnostic code, applying the official kernel patch that adds validation checks before accessing rmb_desc is essential. In environments where immediate patching is not feasible, organizations should limit or avoid running concurrent SMC-D connection dumps, especially under high network load conditions, to reduce the likelihood of triggering the crash. Monitoring and alerting for kernel oops or crashes related to smc_diag can help detect attempts to exploit or inadvertently trigger the vulnerability. Additionally, auditing the use of SMC-D in the infrastructure and disabling it if not required can mitigate exposure. For critical systems, implementing kernel live patching solutions may provide a rapid remediation path without requiring full system reboots. Finally, organizations should review their incident response plans to handle potential DoS scenarios caused by kernel crashes.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.131Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982bc4522896dcbe41bf
Added to database: 5/21/2025, 9:08:59 AM
Last enriched: 6/29/2025, 9:13:13 PM
Last updated: 8/15/2025, 3:24:42 PM
Views: 10
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.