CVE-2024-26620: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: s390/vfio-ap: always filter entire AP matrix The vfio_ap_mdev_filter_matrix function is called whenever a new adapter or domain is assigned to the mdev. The purpose of the function is to update the guest's AP configuration by filtering the matrix of adapters and domains assigned to the mdev. When an adapter or domain is assigned, only the APQNs associated with the APID of the new adapter or APQI of the new domain are inspected. If an APQN does not reference a queue device bound to the vfio_ap device driver, then it's APID will be filtered from the mdev's matrix when updating the guest's AP configuration. Inspecting only the APID of the new adapter or APQI of the new domain will result in passing AP queues through to a guest that are not bound to the vfio_ap device driver under certain circumstances. Consider the following: guest's AP configuration (all also assigned to the mdev's matrix): 14.0004 14.0005 14.0006 16.0004 16.0005 16.0006 unassign domain 4 unbind queue 16.0005 assign domain 4 When domain 4 is re-assigned, since only domain 4 will be inspected, the APQNs that will be examined will be: 14.0004 16.0004 Since both of those APQNs reference queue devices that are bound to the vfio_ap device driver, nothing will get filtered from the mdev's matrix when updating the guest's AP configuration. Consequently, queue 16.0005 will get passed through despite not being bound to the driver. This violates the linux device model requirement that a guest shall only be given access to devices bound to the device driver facilitating their pass-through. To resolve this problem, every adapter and domain assigned to the mdev will be inspected when filtering the mdev's matrix.
AI Analysis
Technical Summary
CVE-2024-26620 is a vulnerability identified in the Linux kernel's s390 architecture VFIO AP (Virtual Function I/O Adapter Processor) mediated device (mdev) implementation. The vulnerability arises from improper filtering of the AP (Adapter Processor) matrix when assigning adapters or domains to a mediated device. Specifically, the function vfio_ap_mdev_filter_matrix is responsible for updating the guest virtual machine's AP configuration by filtering the matrix of adapters and domains assigned to the mdev. However, the flawed logic inspects only the APIDs (Adapter Processor Identifiers) of the newly assigned adapter or APQIs (Adapter Processor Queue Identifiers) of the newly assigned domain, rather than inspecting all adapters and domains assigned to the mdev. This selective inspection can lead to a scenario where AP queues that are not bound to the vfio_ap device driver are incorrectly passed through to the guest VM. For example, if a domain is unassigned and then reassigned, only that domain's APQNs are inspected, potentially allowing queues like 16.0005 that are unbound to the vfio_ap driver to be accessible by the guest. This behavior violates the Linux device model's security requirement that guests should only have access to devices bound to the device driver managing their pass-through. The fix involves modifying the filtering logic to inspect every adapter and domain assigned to the mdev, ensuring that only properly bound devices are exposed to the guest. This vulnerability affects Linux kernel versions identified by the commit hash 48cae940c31d2407d860d87c41d5f9871c0521db and was published on February 29, 2024. There are no known exploits in the wild at this time, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to environments running Linux on IBM Z (s390) architecture systems that utilize VFIO mediated devices for device pass-through to virtual machines. The improper filtering could allow unauthorized access to hardware queues by guest VMs, potentially leading to unauthorized data access or manipulation at the hardware interface level. This could compromise the confidentiality and integrity of data processed by affected virtual machines. Additionally, it could lead to stability or availability issues if unauthorized device access causes conflicts or resource contention. Organizations relying on s390 Linux systems for critical workloads, such as financial institutions, government agencies, and large enterprises in Europe, may face increased risk if they use virtualization technologies that expose hardware devices via VFIO mediated devices. While the vulnerability does not currently have known exploits, the potential for privilege escalation or data leakage in multi-tenant or sensitive environments makes timely patching important. The impact is more pronounced in sectors with high reliance on mainframe or s390 architecture virtualization, which are more common in certain European countries with established IBM mainframe usage.
Mitigation Recommendations
European organizations using Linux on s390 architecture should promptly apply the patch that updates the vfio_ap_mdev_filter_matrix function to inspect all adapters and domains assigned to the mediated device, ensuring proper filtering of AP queues. Since the vulnerability involves kernel-level device driver logic, updating to the fixed Linux kernel version containing commit 48cae940c31d2407d860d87c41d5f9871c0521db is essential. Organizations should: 1) Identify all s390 Linux systems running VFIO mediated devices and assess their exposure. 2) Schedule and perform kernel updates during maintenance windows to minimize disruption. 3) Review virtualization configurations to ensure that device pass-through policies strictly enforce device-driver binding requirements. 4) Monitor system logs for unusual device assignment or binding events that could indicate exploitation attempts. 5) Implement strict access controls and segmentation for virtual machines using VFIO devices to limit potential lateral movement. 6) Engage with Linux distribution vendors for backported patches if using enterprise Linux variants. These steps go beyond generic advice by focusing on architecture-specific mitigation and operational controls tailored to the vulnerability's nature.
Affected Countries
Germany, United Kingdom, France, Netherlands, Italy, Switzerland
CVE-2024-26620: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: s390/vfio-ap: always filter entire AP matrix The vfio_ap_mdev_filter_matrix function is called whenever a new adapter or domain is assigned to the mdev. The purpose of the function is to update the guest's AP configuration by filtering the matrix of adapters and domains assigned to the mdev. When an adapter or domain is assigned, only the APQNs associated with the APID of the new adapter or APQI of the new domain are inspected. If an APQN does not reference a queue device bound to the vfio_ap device driver, then it's APID will be filtered from the mdev's matrix when updating the guest's AP configuration. Inspecting only the APID of the new adapter or APQI of the new domain will result in passing AP queues through to a guest that are not bound to the vfio_ap device driver under certain circumstances. Consider the following: guest's AP configuration (all also assigned to the mdev's matrix): 14.0004 14.0005 14.0006 16.0004 16.0005 16.0006 unassign domain 4 unbind queue 16.0005 assign domain 4 When domain 4 is re-assigned, since only domain 4 will be inspected, the APQNs that will be examined will be: 14.0004 16.0004 Since both of those APQNs reference queue devices that are bound to the vfio_ap device driver, nothing will get filtered from the mdev's matrix when updating the guest's AP configuration. Consequently, queue 16.0005 will get passed through despite not being bound to the driver. This violates the linux device model requirement that a guest shall only be given access to devices bound to the device driver facilitating their pass-through. To resolve this problem, every adapter and domain assigned to the mdev will be inspected when filtering the mdev's matrix.
AI-Powered Analysis
Technical Analysis
CVE-2024-26620 is a vulnerability identified in the Linux kernel's s390 architecture VFIO AP (Virtual Function I/O Adapter Processor) mediated device (mdev) implementation. The vulnerability arises from improper filtering of the AP (Adapter Processor) matrix when assigning adapters or domains to a mediated device. Specifically, the function vfio_ap_mdev_filter_matrix is responsible for updating the guest virtual machine's AP configuration by filtering the matrix of adapters and domains assigned to the mdev. However, the flawed logic inspects only the APIDs (Adapter Processor Identifiers) of the newly assigned adapter or APQIs (Adapter Processor Queue Identifiers) of the newly assigned domain, rather than inspecting all adapters and domains assigned to the mdev. This selective inspection can lead to a scenario where AP queues that are not bound to the vfio_ap device driver are incorrectly passed through to the guest VM. For example, if a domain is unassigned and then reassigned, only that domain's APQNs are inspected, potentially allowing queues like 16.0005 that are unbound to the vfio_ap driver to be accessible by the guest. This behavior violates the Linux device model's security requirement that guests should only have access to devices bound to the device driver managing their pass-through. The fix involves modifying the filtering logic to inspect every adapter and domain assigned to the mdev, ensuring that only properly bound devices are exposed to the guest. This vulnerability affects Linux kernel versions identified by the commit hash 48cae940c31d2407d860d87c41d5f9871c0521db and was published on February 29, 2024. There are no known exploits in the wild at this time, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to environments running Linux on IBM Z (s390) architecture systems that utilize VFIO mediated devices for device pass-through to virtual machines. The improper filtering could allow unauthorized access to hardware queues by guest VMs, potentially leading to unauthorized data access or manipulation at the hardware interface level. This could compromise the confidentiality and integrity of data processed by affected virtual machines. Additionally, it could lead to stability or availability issues if unauthorized device access causes conflicts or resource contention. Organizations relying on s390 Linux systems for critical workloads, such as financial institutions, government agencies, and large enterprises in Europe, may face increased risk if they use virtualization technologies that expose hardware devices via VFIO mediated devices. While the vulnerability does not currently have known exploits, the potential for privilege escalation or data leakage in multi-tenant or sensitive environments makes timely patching important. The impact is more pronounced in sectors with high reliance on mainframe or s390 architecture virtualization, which are more common in certain European countries with established IBM mainframe usage.
Mitigation Recommendations
European organizations using Linux on s390 architecture should promptly apply the patch that updates the vfio_ap_mdev_filter_matrix function to inspect all adapters and domains assigned to the mediated device, ensuring proper filtering of AP queues. Since the vulnerability involves kernel-level device driver logic, updating to the fixed Linux kernel version containing commit 48cae940c31d2407d860d87c41d5f9871c0521db is essential. Organizations should: 1) Identify all s390 Linux systems running VFIO mediated devices and assess their exposure. 2) Schedule and perform kernel updates during maintenance windows to minimize disruption. 3) Review virtualization configurations to ensure that device pass-through policies strictly enforce device-driver binding requirements. 4) Monitor system logs for unusual device assignment or binding events that could indicate exploitation attempts. 5) Implement strict access controls and segmentation for virtual machines using VFIO devices to limit potential lateral movement. 6) Engage with Linux distribution vendors for backported patches if using enterprise Linux variants. These steps go beyond generic advice by focusing on architecture-specific mitigation and operational controls tailored to the vulnerability's nature.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.132Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982bc4522896dcbe41d9
Added to database: 5/21/2025, 9:08:59 AM
Last enriched: 6/29/2025, 9:25:05 PM
Last updated: 8/11/2025, 10:43:33 PM
Views: 10
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.