CVE-2024-26645: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: tracing: Ensure visibility when inserting an element into tracing_map Running the following two commands in parallel on a multi-processor AArch64 machine can sporadically produce an unexpected warning about duplicate histogram entries: $ while true; do echo hist:key=id.syscall:val=hitcount > \ /sys/kernel/debug/tracing/events/raw_syscalls/sys_enter/trigger cat /sys/kernel/debug/tracing/events/raw_syscalls/sys_enter/hist sleep 0.001 done $ stress-ng --sysbadaddr $(nproc) The warning looks as follows: [ 2911.172474] ------------[ cut here ]------------ [ 2911.173111] Duplicates detected: 1 [ 2911.173574] WARNING: CPU: 2 PID: 12247 at kernel/trace/tracing_map.c:983 tracing_map_sort_entries+0x3e0/0x408 [ 2911.174702] Modules linked in: iscsi_ibft(E) iscsi_boot_sysfs(E) rfkill(E) af_packet(E) nls_iso8859_1(E) nls_cp437(E) vfat(E) fat(E) ena(E) tiny_power_button(E) qemu_fw_cfg(E) button(E) fuse(E) efi_pstore(E) ip_tables(E) x_tables(E) xfs(E) libcrc32c(E) aes_ce_blk(E) aes_ce_cipher(E) crct10dif_ce(E) polyval_ce(E) polyval_generic(E) ghash_ce(E) gf128mul(E) sm4_ce_gcm(E) sm4_ce_ccm(E) sm4_ce(E) sm4_ce_cipher(E) sm4(E) sm3_ce(E) sm3(E) sha3_ce(E) sha512_ce(E) sha512_arm64(E) sha2_ce(E) sha256_arm64(E) nvme(E) sha1_ce(E) nvme_core(E) nvme_auth(E) t10_pi(E) sg(E) scsi_mod(E) scsi_common(E) efivarfs(E) [ 2911.174738] Unloaded tainted modules: cppc_cpufreq(E):1 [ 2911.180985] CPU: 2 PID: 12247 Comm: cat Kdump: loaded Tainted: G E 6.7.0-default #2 1b58bbb22c97e4399dc09f92d309344f69c44a01 [ 2911.182398] Hardware name: Amazon EC2 c7g.8xlarge/, BIOS 1.0 11/1/2018 [ 2911.183208] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 2911.184038] pc : tracing_map_sort_entries+0x3e0/0x408 [ 2911.184667] lr : tracing_map_sort_entries+0x3e0/0x408 [ 2911.185310] sp : ffff8000a1513900 [ 2911.185750] x29: ffff8000a1513900 x28: ffff0003f272fe80 x27: 0000000000000001 [ 2911.186600] x26: ffff0003f272fe80 x25: 0000000000000030 x24: 0000000000000008 [ 2911.187458] x23: ffff0003c5788000 x22: ffff0003c16710c8 x21: ffff80008017f180 [ 2911.188310] x20: ffff80008017f000 x19: ffff80008017f180 x18: ffffffffffffffff [ 2911.189160] x17: 0000000000000000 x16: 0000000000000000 x15: ffff8000a15134b8 [ 2911.190015] x14: 0000000000000000 x13: 205d373432323154 x12: 5b5d313131333731 [ 2911.190844] x11: 00000000fffeffff x10: 00000000fffeffff x9 : ffffd1b78274a13c [ 2911.191716] x8 : 000000000017ffe8 x7 : c0000000fffeffff x6 : 000000000057ffa8 [ 2911.192554] x5 : ffff0012f6c24ec0 x4 : 0000000000000000 x3 : ffff2e5b72b5d000 [ 2911.193404] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0003ff254480 [ 2911.194259] Call trace: [ 2911.194626] tracing_map_sort_entries+0x3e0/0x408 [ 2911.195220] hist_show+0x124/0x800 [ 2911.195692] seq_read_iter+0x1d4/0x4e8 [ 2911.196193] seq_read+0xe8/0x138 [ 2911.196638] vfs_read+0xc8/0x300 [ 2911.197078] ksys_read+0x70/0x108 [ 2911.197534] __arm64_sys_read+0x24/0x38 [ 2911.198046] invoke_syscall+0x78/0x108 [ 2911.198553] el0_svc_common.constprop.0+0xd0/0xf8 [ 2911.199157] do_el0_svc+0x28/0x40 [ 2911.199613] el0_svc+0x40/0x178 [ 2911.200048] el0t_64_sync_handler+0x13c/0x158 [ 2911.200621] el0t_64_sync+0x1a8/0x1b0 [ 2911.201115] ---[ end trace 0000000000000000 ]--- The problem appears to be caused by CPU reordering of writes issued from __tracing_map_insert(). The check for the presence of an element with a given key in this function is: val = READ_ONCE(entry->val); if (val && keys_match(key, val->key, map->key_size)) ... The write of a new entry is: elt = get_free_elt(map); memcpy(elt->key, key, map->key_size); entry->val = elt; The "memcpy(elt->key, key, map->key_size);" and "entry->val = elt;" stores may become visible in the reversed order on another CPU. This second CPU might then incorrectly determine that a new key doesn't match an already present val->key and subse ---truncated---
AI Analysis
Technical Summary
CVE-2024-26645 is a concurrency-related vulnerability in the Linux kernel's tracing subsystem, specifically impacting multi-processor AArch64 (ARM64) architectures. The flaw arises from improper memory ordering in the function __tracing_map_insert(), which is responsible for inserting elements into a tracing map used for kernel event tracing and debugging. The vulnerability manifests when two commands are run in parallel on a multi-core ARM64 machine, causing sporadic warnings about duplicate histogram entries and kernel trace errors. The root cause is that the write operations within __tracing_map_insert()—specifically the memcpy of the key and the assignment of the entry value pointer—may be reordered by the CPU. This reordering can cause another CPU to observe an inconsistent state where the entry pointer is set before the key data is fully written, leading to incorrect assumptions about key uniqueness and resulting in duplicate entries or warnings. The issue is triggered by concurrent access patterns involving the tracing debugfs interface and stress testing tools like stress-ng. The kernel logs show warnings and stack traces pointing to tracing_map_sort_entries(), indicating that the sorting and validation of tracing map entries are affected. This vulnerability is not known to be exploited in the wild and does not have an assigned CVSS score yet. It affects Linux kernel versions identified by the commit hash c193707dde77ace92a649cd59a17e105e2fbeaef and likely other versions with similar tracing map implementations on ARM64 platforms. The problem is fundamentally a race condition due to weak memory ordering guarantees on ARM64 CPUs, which can cause kernel tracing data structures to become inconsistent under heavy concurrent load.
Potential Impact
For European organizations, the impact of CVE-2024-26645 depends largely on their use of Linux systems running on ARM64 hardware, such as servers, cloud instances, or embedded devices. Organizations leveraging ARM64-based infrastructure—particularly cloud providers or enterprises using ARM-based servers—may experience kernel instability, warnings, or potential crashes when running tracing tools or stress tests concurrently. While the vulnerability does not directly lead to privilege escalation or remote code execution, the resulting kernel warnings and potential trace data corruption can impair system diagnostics and monitoring capabilities. This can hinder incident response and forensic analysis, reducing operational visibility. In critical environments, such as telecommunications, industrial control systems, or cloud service providers in Europe that utilize ARM64 Linux kernels, this could translate into reduced reliability and increased troubleshooting overhead. However, since exploitation requires specific concurrent operations and is not known to cause data corruption or security breaches directly, the immediate risk to confidentiality and integrity is low. Availability could be moderately impacted if kernel warnings escalate to crashes or system instability under heavy tracing workloads.
Mitigation Recommendations
European organizations should apply the official Linux kernel patches that address this memory ordering issue in the tracing subsystem as soon as they become available. Until patched, it is advisable to limit or avoid running concurrent tracing commands or stress tests that heavily interact with the tracing debugfs interface on ARM64 Linux systems. System administrators should monitor kernel logs for duplicate histogram warnings or tracing_map_sort_entries errors as indicators of this issue. For environments where tracing is critical, consider isolating tracing workloads to single-core or single-threaded contexts to reduce concurrency risks. Additionally, deploying kernel versions with improved memory barrier usage in tracing_map_insert() can prevent CPU reordering issues. Organizations using cloud services should verify that their providers have applied relevant kernel updates on ARM64 instances. Finally, incorporating kernel tracing error detection into monitoring and alerting systems can help identify occurrences of this issue promptly.
Affected Countries
Germany, United Kingdom, France, Netherlands, Sweden, Finland, Ireland
CVE-2024-26645: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: tracing: Ensure visibility when inserting an element into tracing_map Running the following two commands in parallel on a multi-processor AArch64 machine can sporadically produce an unexpected warning about duplicate histogram entries: $ while true; do echo hist:key=id.syscall:val=hitcount > \ /sys/kernel/debug/tracing/events/raw_syscalls/sys_enter/trigger cat /sys/kernel/debug/tracing/events/raw_syscalls/sys_enter/hist sleep 0.001 done $ stress-ng --sysbadaddr $(nproc) The warning looks as follows: [ 2911.172474] ------------[ cut here ]------------ [ 2911.173111] Duplicates detected: 1 [ 2911.173574] WARNING: CPU: 2 PID: 12247 at kernel/trace/tracing_map.c:983 tracing_map_sort_entries+0x3e0/0x408 [ 2911.174702] Modules linked in: iscsi_ibft(E) iscsi_boot_sysfs(E) rfkill(E) af_packet(E) nls_iso8859_1(E) nls_cp437(E) vfat(E) fat(E) ena(E) tiny_power_button(E) qemu_fw_cfg(E) button(E) fuse(E) efi_pstore(E) ip_tables(E) x_tables(E) xfs(E) libcrc32c(E) aes_ce_blk(E) aes_ce_cipher(E) crct10dif_ce(E) polyval_ce(E) polyval_generic(E) ghash_ce(E) gf128mul(E) sm4_ce_gcm(E) sm4_ce_ccm(E) sm4_ce(E) sm4_ce_cipher(E) sm4(E) sm3_ce(E) sm3(E) sha3_ce(E) sha512_ce(E) sha512_arm64(E) sha2_ce(E) sha256_arm64(E) nvme(E) sha1_ce(E) nvme_core(E) nvme_auth(E) t10_pi(E) sg(E) scsi_mod(E) scsi_common(E) efivarfs(E) [ 2911.174738] Unloaded tainted modules: cppc_cpufreq(E):1 [ 2911.180985] CPU: 2 PID: 12247 Comm: cat Kdump: loaded Tainted: G E 6.7.0-default #2 1b58bbb22c97e4399dc09f92d309344f69c44a01 [ 2911.182398] Hardware name: Amazon EC2 c7g.8xlarge/, BIOS 1.0 11/1/2018 [ 2911.183208] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 2911.184038] pc : tracing_map_sort_entries+0x3e0/0x408 [ 2911.184667] lr : tracing_map_sort_entries+0x3e0/0x408 [ 2911.185310] sp : ffff8000a1513900 [ 2911.185750] x29: ffff8000a1513900 x28: ffff0003f272fe80 x27: 0000000000000001 [ 2911.186600] x26: ffff0003f272fe80 x25: 0000000000000030 x24: 0000000000000008 [ 2911.187458] x23: ffff0003c5788000 x22: ffff0003c16710c8 x21: ffff80008017f180 [ 2911.188310] x20: ffff80008017f000 x19: ffff80008017f180 x18: ffffffffffffffff [ 2911.189160] x17: 0000000000000000 x16: 0000000000000000 x15: ffff8000a15134b8 [ 2911.190015] x14: 0000000000000000 x13: 205d373432323154 x12: 5b5d313131333731 [ 2911.190844] x11: 00000000fffeffff x10: 00000000fffeffff x9 : ffffd1b78274a13c [ 2911.191716] x8 : 000000000017ffe8 x7 : c0000000fffeffff x6 : 000000000057ffa8 [ 2911.192554] x5 : ffff0012f6c24ec0 x4 : 0000000000000000 x3 : ffff2e5b72b5d000 [ 2911.193404] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0003ff254480 [ 2911.194259] Call trace: [ 2911.194626] tracing_map_sort_entries+0x3e0/0x408 [ 2911.195220] hist_show+0x124/0x800 [ 2911.195692] seq_read_iter+0x1d4/0x4e8 [ 2911.196193] seq_read+0xe8/0x138 [ 2911.196638] vfs_read+0xc8/0x300 [ 2911.197078] ksys_read+0x70/0x108 [ 2911.197534] __arm64_sys_read+0x24/0x38 [ 2911.198046] invoke_syscall+0x78/0x108 [ 2911.198553] el0_svc_common.constprop.0+0xd0/0xf8 [ 2911.199157] do_el0_svc+0x28/0x40 [ 2911.199613] el0_svc+0x40/0x178 [ 2911.200048] el0t_64_sync_handler+0x13c/0x158 [ 2911.200621] el0t_64_sync+0x1a8/0x1b0 [ 2911.201115] ---[ end trace 0000000000000000 ]--- The problem appears to be caused by CPU reordering of writes issued from __tracing_map_insert(). The check for the presence of an element with a given key in this function is: val = READ_ONCE(entry->val); if (val && keys_match(key, val->key, map->key_size)) ... The write of a new entry is: elt = get_free_elt(map); memcpy(elt->key, key, map->key_size); entry->val = elt; The "memcpy(elt->key, key, map->key_size);" and "entry->val = elt;" stores may become visible in the reversed order on another CPU. This second CPU might then incorrectly determine that a new key doesn't match an already present val->key and subse ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-26645 is a concurrency-related vulnerability in the Linux kernel's tracing subsystem, specifically impacting multi-processor AArch64 (ARM64) architectures. The flaw arises from improper memory ordering in the function __tracing_map_insert(), which is responsible for inserting elements into a tracing map used for kernel event tracing and debugging. The vulnerability manifests when two commands are run in parallel on a multi-core ARM64 machine, causing sporadic warnings about duplicate histogram entries and kernel trace errors. The root cause is that the write operations within __tracing_map_insert()—specifically the memcpy of the key and the assignment of the entry value pointer—may be reordered by the CPU. This reordering can cause another CPU to observe an inconsistent state where the entry pointer is set before the key data is fully written, leading to incorrect assumptions about key uniqueness and resulting in duplicate entries or warnings. The issue is triggered by concurrent access patterns involving the tracing debugfs interface and stress testing tools like stress-ng. The kernel logs show warnings and stack traces pointing to tracing_map_sort_entries(), indicating that the sorting and validation of tracing map entries are affected. This vulnerability is not known to be exploited in the wild and does not have an assigned CVSS score yet. It affects Linux kernel versions identified by the commit hash c193707dde77ace92a649cd59a17e105e2fbeaef and likely other versions with similar tracing map implementations on ARM64 platforms. The problem is fundamentally a race condition due to weak memory ordering guarantees on ARM64 CPUs, which can cause kernel tracing data structures to become inconsistent under heavy concurrent load.
Potential Impact
For European organizations, the impact of CVE-2024-26645 depends largely on their use of Linux systems running on ARM64 hardware, such as servers, cloud instances, or embedded devices. Organizations leveraging ARM64-based infrastructure—particularly cloud providers or enterprises using ARM-based servers—may experience kernel instability, warnings, or potential crashes when running tracing tools or stress tests concurrently. While the vulnerability does not directly lead to privilege escalation or remote code execution, the resulting kernel warnings and potential trace data corruption can impair system diagnostics and monitoring capabilities. This can hinder incident response and forensic analysis, reducing operational visibility. In critical environments, such as telecommunications, industrial control systems, or cloud service providers in Europe that utilize ARM64 Linux kernels, this could translate into reduced reliability and increased troubleshooting overhead. However, since exploitation requires specific concurrent operations and is not known to cause data corruption or security breaches directly, the immediate risk to confidentiality and integrity is low. Availability could be moderately impacted if kernel warnings escalate to crashes or system instability under heavy tracing workloads.
Mitigation Recommendations
European organizations should apply the official Linux kernel patches that address this memory ordering issue in the tracing subsystem as soon as they become available. Until patched, it is advisable to limit or avoid running concurrent tracing commands or stress tests that heavily interact with the tracing debugfs interface on ARM64 Linux systems. System administrators should monitor kernel logs for duplicate histogram warnings or tracing_map_sort_entries errors as indicators of this issue. For environments where tracing is critical, consider isolating tracing workloads to single-core or single-threaded contexts to reduce concurrency risks. Additionally, deploying kernel versions with improved memory barrier usage in tracing_map_insert() can prevent CPU reordering issues. Organizations using cloud services should verify that their providers have applied relevant kernel updates on ARM64 instances. Finally, incorporating kernel tracing error detection into monitoring and alerting systems can help identify occurrences of this issue promptly.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.138Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982bc4522896dcbe426c
Added to database: 5/21/2025, 9:08:59 AM
Last enriched: 6/29/2025, 9:40:10 PM
Last updated: 8/4/2025, 6:27:17 AM
Views: 14
Related Threats
CVE-2025-9008: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-9007: Buffer Overflow in Tenda CH22
HighCVE-2025-9006: Buffer Overflow in Tenda CH22
HighCVE-2025-9005: Information Exposure Through Error Message in mtons mblog
MediumCVE-2025-9004: Improper Restriction of Excessive Authentication Attempts in mtons mblog
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.