CVE-2024-26623: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: pds_core: Prevent race issues involving the adminq There are multiple paths that can result in using the pdsc's adminq. [1] pdsc_adminq_isr and the resulting work from queue_work(), i.e. pdsc_work_thread()->pdsc_process_adminq() [2] pdsc_adminq_post() When the device goes through reset via PCIe reset and/or a fw_down/fw_up cycle due to bad PCIe state or bad device state the adminq is destroyed and recreated. A NULL pointer dereference can happen if [1] or [2] happens after the adminq is already destroyed. In order to fix this, add some further state checks and implement reference counting for adminq uses. Reference counting was used because multiple threads can attempt to access the adminq at the same time via [1] or [2]. Additionally, multiple clients (i.e. pds-vfio-pci) can be using [2] at the same time. The adminq_refcnt is initialized to 1 when the adminq has been allocated and is ready to use. Users/clients of the adminq (i.e. [1] and [2]) will increment the refcnt when they are using the adminq. When the driver goes into a fw_down cycle it will set the PDSC_S_FW_DEAD bit and then wait for the adminq_refcnt to hit 1. Setting the PDSC_S_FW_DEAD before waiting will prevent any further adminq_refcnt increments. Waiting for the adminq_refcnt to hit 1 allows for any current users of the adminq to finish before the driver frees the adminq. Once the adminq_refcnt hits 1 the driver clears the refcnt to signify that the adminq is deleted and cannot be used. On the fw_up cycle the driver will once again initialize the adminq_refcnt to 1 allowing the adminq to be used again.
AI Analysis
Technical Summary
CVE-2024-26623 is a vulnerability identified in the Linux kernel related to the handling of the admin queue (adminq) within the pds_core driver component. The issue arises from race conditions when multiple threads or clients access the adminq concurrently, especially during device reset scenarios triggered by PCIe resets or firmware down/up cycles. Specifically, the adminq can be destroyed and recreated during these reset cycles, but certain code paths (pdsc_adminq_isr leading to pdsc_work_thread and pdsc_adminq_post) may attempt to access the adminq after it has been destroyed, resulting in a NULL pointer dereference. This can cause kernel crashes or system instability. The fix involves implementing reference counting to manage concurrent access safely. The adminq_refcnt is initialized to 1 when the adminq is ready, incremented by users during access, and decremented upon completion. During firmware down cycles, the driver sets a flag (PDSC_S_FW_DEAD) to prevent new increments and waits for the refcnt to return to 1 before freeing the adminq, ensuring no active users remain. On firmware up cycles, the refcnt is reset to 1 to allow normal operation. This vulnerability is a classic use-after-free or race condition issue in kernel driver code that can lead to denial of service via kernel panic or crash but does not appear to allow privilege escalation or arbitrary code execution directly. No known exploits are reported in the wild at this time.
Potential Impact
For European organizations, this vulnerability primarily poses a risk of denial of service (DoS) on Linux systems using the affected pds_core driver, which is likely associated with specific PCIe devices. A kernel crash due to NULL pointer dereference can cause system downtime, impacting availability of critical services, especially in environments relying on Linux servers or embedded systems with these devices. Organizations in sectors such as telecommunications, industrial control, cloud service providers, and data centers that deploy Linux extensively could experience service interruptions. While the vulnerability does not directly expose confidentiality or integrity risks, the resulting instability could disrupt business operations, lead to loss of productivity, and increase operational costs. The lack of known exploits reduces immediate risk, but the vulnerability should be addressed promptly to prevent potential exploitation as attackers often target race conditions once patches are released. Additionally, systems that perform PCIe resets or firmware cycles frequently are more susceptible to triggering this issue.
Mitigation Recommendations
European organizations should apply the Linux kernel patches that implement the reference counting fix for the adminq as soon as they become available from their Linux distribution vendors. Specifically, ensure that kernel versions include the fix for CVE-2024-26623. For environments where immediate patching is not feasible, consider the following mitigations: 1) Minimize unnecessary PCIe resets and firmware down/up cycles on affected devices to reduce the chance of triggering the race condition. 2) Monitor kernel logs for signs of NULL pointer dereference or related kernel panics linked to pds_core or adminq components. 3) Implement robust system monitoring and automated recovery mechanisms to quickly detect and remediate system crashes. 4) For critical systems, consider isolating or limiting use of affected PCIe devices until patched. 5) Engage with hardware vendors to confirm device compatibility and firmware updates that may reduce reset cycles. 6) Maintain up-to-date backups and disaster recovery plans to mitigate downtime impact. These targeted mitigations go beyond generic advice by focusing on the specific driver and operational scenarios involved.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy
CVE-2024-26623: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: pds_core: Prevent race issues involving the adminq There are multiple paths that can result in using the pdsc's adminq. [1] pdsc_adminq_isr and the resulting work from queue_work(), i.e. pdsc_work_thread()->pdsc_process_adminq() [2] pdsc_adminq_post() When the device goes through reset via PCIe reset and/or a fw_down/fw_up cycle due to bad PCIe state or bad device state the adminq is destroyed and recreated. A NULL pointer dereference can happen if [1] or [2] happens after the adminq is already destroyed. In order to fix this, add some further state checks and implement reference counting for adminq uses. Reference counting was used because multiple threads can attempt to access the adminq at the same time via [1] or [2]. Additionally, multiple clients (i.e. pds-vfio-pci) can be using [2] at the same time. The adminq_refcnt is initialized to 1 when the adminq has been allocated and is ready to use. Users/clients of the adminq (i.e. [1] and [2]) will increment the refcnt when they are using the adminq. When the driver goes into a fw_down cycle it will set the PDSC_S_FW_DEAD bit and then wait for the adminq_refcnt to hit 1. Setting the PDSC_S_FW_DEAD before waiting will prevent any further adminq_refcnt increments. Waiting for the adminq_refcnt to hit 1 allows for any current users of the adminq to finish before the driver frees the adminq. Once the adminq_refcnt hits 1 the driver clears the refcnt to signify that the adminq is deleted and cannot be used. On the fw_up cycle the driver will once again initialize the adminq_refcnt to 1 allowing the adminq to be used again.
AI-Powered Analysis
Technical Analysis
CVE-2024-26623 is a vulnerability identified in the Linux kernel related to the handling of the admin queue (adminq) within the pds_core driver component. The issue arises from race conditions when multiple threads or clients access the adminq concurrently, especially during device reset scenarios triggered by PCIe resets or firmware down/up cycles. Specifically, the adminq can be destroyed and recreated during these reset cycles, but certain code paths (pdsc_adminq_isr leading to pdsc_work_thread and pdsc_adminq_post) may attempt to access the adminq after it has been destroyed, resulting in a NULL pointer dereference. This can cause kernel crashes or system instability. The fix involves implementing reference counting to manage concurrent access safely. The adminq_refcnt is initialized to 1 when the adminq is ready, incremented by users during access, and decremented upon completion. During firmware down cycles, the driver sets a flag (PDSC_S_FW_DEAD) to prevent new increments and waits for the refcnt to return to 1 before freeing the adminq, ensuring no active users remain. On firmware up cycles, the refcnt is reset to 1 to allow normal operation. This vulnerability is a classic use-after-free or race condition issue in kernel driver code that can lead to denial of service via kernel panic or crash but does not appear to allow privilege escalation or arbitrary code execution directly. No known exploits are reported in the wild at this time.
Potential Impact
For European organizations, this vulnerability primarily poses a risk of denial of service (DoS) on Linux systems using the affected pds_core driver, which is likely associated with specific PCIe devices. A kernel crash due to NULL pointer dereference can cause system downtime, impacting availability of critical services, especially in environments relying on Linux servers or embedded systems with these devices. Organizations in sectors such as telecommunications, industrial control, cloud service providers, and data centers that deploy Linux extensively could experience service interruptions. While the vulnerability does not directly expose confidentiality or integrity risks, the resulting instability could disrupt business operations, lead to loss of productivity, and increase operational costs. The lack of known exploits reduces immediate risk, but the vulnerability should be addressed promptly to prevent potential exploitation as attackers often target race conditions once patches are released. Additionally, systems that perform PCIe resets or firmware cycles frequently are more susceptible to triggering this issue.
Mitigation Recommendations
European organizations should apply the Linux kernel patches that implement the reference counting fix for the adminq as soon as they become available from their Linux distribution vendors. Specifically, ensure that kernel versions include the fix for CVE-2024-26623. For environments where immediate patching is not feasible, consider the following mitigations: 1) Minimize unnecessary PCIe resets and firmware down/up cycles on affected devices to reduce the chance of triggering the race condition. 2) Monitor kernel logs for signs of NULL pointer dereference or related kernel panics linked to pds_core or adminq components. 3) Implement robust system monitoring and automated recovery mechanisms to quickly detect and remediate system crashes. 4) For critical systems, consider isolating or limiting use of affected PCIe devices until patched. 5) Engage with hardware vendors to confirm device compatibility and firmware updates that may reduce reset cycles. 6) Maintain up-to-date backups and disaster recovery plans to mitigate downtime impact. These targeted mitigations go beyond generic advice by focusing on the specific driver and operational scenarios involved.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.134Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982bc4522896dcbe420b
Added to database: 5/21/2025, 9:08:59 AM
Last enriched: 6/29/2025, 9:25:38 PM
Last updated: 8/8/2025, 7:01:55 AM
Views: 12
Related Threats
CVE-2025-8810: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-8809: SQL Injection in code-projects Online Medicine Guide
MediumCVE-2025-8808: CSV Injection in xujeff tianti 天梯
MediumCVE-2025-8807: Missing Authorization in xujeff tianti 天梯
MediumCVE-2025-8806: SQL Injection in zhilink 智互联(深圳)科技有限公司 ADP Application Developer Platform 应用开发者平台
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.