CVE-2024-26656: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix use-after-free bug The bug can be triggered by sending a single amdgpu_gem_userptr_ioctl to the AMDGPU DRM driver on any ASICs with an invalid address and size. The bug was reported by Joonkyo Jung <joonkyoj@yonsei.ac.kr>. For example the following code: static void Syzkaller1(int fd) { struct drm_amdgpu_gem_userptr arg; int ret; arg.addr = 0xffffffffffff0000; arg.size = 0x80000000; /*2 Gb*/ arg.flags = 0x7; ret = drmIoctl(fd, 0xc1186451/*amdgpu_gem_userptr_ioctl*/, &arg); } Due to the address and size are not valid there is a failure in amdgpu_hmm_register->mmu_interval_notifier_insert->__mmu_interval_notifier_insert-> check_shl_overflow, but we even the amdgpu_hmm_register failure we still call amdgpu_hmm_unregister into amdgpu_gem_object_free which causes access to a bad address. The following stack is below when the issue is reproduced when Kazan is enabled: [ +0.000014] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020 [ +0.000009] RIP: 0010:mmu_interval_notifier_remove+0x327/0x340 [ +0.000017] Code: ff ff 49 89 44 24 08 48 b8 00 01 00 00 00 00 ad de 4c 89 f7 49 89 47 40 48 83 c0 22 49 89 47 48 e8 ce d1 2d 01 e9 32 ff ff ff <0f> 0b e9 16 ff ff ff 4c 89 ef e8 fa 14 b3 ff e9 36 ff ff ff e8 80 [ +0.000014] RSP: 0018:ffffc90002657988 EFLAGS: 00010246 [ +0.000013] RAX: 0000000000000000 RBX: 1ffff920004caf35 RCX: ffffffff8160565b [ +0.000011] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8881a9f78260 [ +0.000010] RBP: ffffc90002657a70 R08: 0000000000000001 R09: fffff520004caf25 [ +0.000010] R10: 0000000000000003 R11: ffffffff8161d1d6 R12: ffff88810e988c00 [ +0.000010] R13: ffff888126fb5a00 R14: ffff88810e988c0c R15: ffff8881a9f78260 [ +0.000011] FS: 00007ff9ec848540(0000) GS:ffff8883cc880000(0000) knlGS:0000000000000000 [ +0.000012] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ +0.000010] CR2: 000055b3f7e14328 CR3: 00000001b5770000 CR4: 0000000000350ef0 [ +0.000010] Call Trace: [ +0.000006] <TASK> [ +0.000007] ? show_regs+0x6a/0x80 [ +0.000018] ? __warn+0xa5/0x1b0 [ +0.000019] ? mmu_interval_notifier_remove+0x327/0x340 [ +0.000018] ? report_bug+0x24a/0x290 [ +0.000022] ? handle_bug+0x46/0x90 [ +0.000015] ? exc_invalid_op+0x19/0x50 [ +0.000016] ? asm_exc_invalid_op+0x1b/0x20 [ +0.000017] ? kasan_save_stack+0x26/0x50 [ +0.000017] ? mmu_interval_notifier_remove+0x23b/0x340 [ +0.000019] ? mmu_interval_notifier_remove+0x327/0x340 [ +0.000019] ? mmu_interval_notifier_remove+0x23b/0x340 [ +0.000020] ? __pfx_mmu_interval_notifier_remove+0x10/0x10 [ +0.000017] ? kasan_save_alloc_info+0x1e/0x30 [ +0.000018] ? srso_return_thunk+0x5/0x5f [ +0.000014] ? __kasan_kmalloc+0xb1/0xc0 [ +0.000018] ? srso_return_thunk+0x5/0x5f [ +0.000013] ? __kasan_check_read+0x11/0x20 [ +0.000020] amdgpu_hmm_unregister+0x34/0x50 [amdgpu] [ +0.004695] amdgpu_gem_object_free+0x66/0xa0 [amdgpu] [ +0.004534] ? __pfx_amdgpu_gem_object_free+0x10/0x10 [amdgpu] [ +0.004291] ? do_syscall_64+0x5f/0xe0 [ +0.000023] ? srso_return_thunk+0x5/0x5f [ +0.000017] drm_gem_object_free+0x3b/0x50 [drm] [ +0.000489] amdgpu_gem_userptr_ioctl+0x306/0x500 [amdgpu] [ +0.004295] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu] [ +0.004270] ? srso_return_thunk+0x5/0x5f [ +0.000014] ? __this_cpu_preempt_check+0x13/0x20 [ +0.000015] ? srso_return_thunk+0x5/0x5f [ +0.000013] ? sysvec_apic_timer_interrupt+0x57/0xc0 [ +0.000020] ? srso_return_thunk+0x5/0x5f [ +0.000014] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20 [ +0.000022] ? drm_ioctl_kernel+0x17b/0x1f0 [drm] [ +0.000496] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu] [ +0.004272] ? drm_ioctl_kernel+0x190/0x1f0 [drm] [ +0.000492] drm_ioctl_kernel+0x140/0x1f0 [drm] [ +0.000497] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu] [ +0.004297] ? __pfx_drm_ioctl_kernel+0x10/0x10 [d ---truncated---
AI Analysis
Technical Summary
CVE-2024-26656 is a use-after-free vulnerability in the Linux kernel's AMDGPU Direct Rendering Manager (DRM) driver, specifically within the amdgpu_gem_userptr_ioctl interface. This vulnerability arises when a specially crafted ioctl call is made with invalid address and size parameters to the AMDGPU DRM driver on any AMD ASICs. The flaw is triggered during the handling of user pointer memory registration (amdgpu_hmm_register), where an invalid address and size cause a failure in the mmu_interval_notifier_insert function chain. Despite this failure, the driver erroneously calls amdgpu_hmm_unregister during the gem object free operation, leading to a use-after-free condition. This results in the kernel accessing freed memory, which can cause system instability, crashes (kernel panic), or potentially arbitrary code execution in kernel space if exploited further. The vulnerability was reported by a security researcher and affects Linux kernel versions containing the vulnerable commit hashes referenced. The issue is reproducible on systems with AMD GPUs, as demonstrated by a sample code snippet invoking the ioctl with invalid parameters. The kernel stack trace included shows the failure occurs in mmu_interval_notifier_remove, indicating the improper cleanup of memory interval notifiers. This vulnerability is critical because it involves kernel memory management and can be triggered by a single ioctl call, which may be accessible to unprivileged users depending on system configuration. No CVSS score has been assigned yet, but the technical details and potential impact suggest a high severity. There are no known exploits in the wild at the time of publication, and no official patches or mitigations are linked in the provided data, though it is expected that Linux kernel maintainers will address this promptly given the severity and nature of the bug.
Potential Impact
For European organizations, the impact of CVE-2024-26656 can be significant, especially for those relying on Linux servers or workstations equipped with AMD GPUs. The vulnerability could allow local attackers or malicious processes to cause denial of service through kernel crashes or potentially escalate privileges by executing arbitrary code in kernel mode. This could compromise the confidentiality, integrity, and availability of critical systems. Organizations in sectors such as finance, healthcare, government, and critical infrastructure that use AMD GPU-accelerated Linux systems for compute tasks, virtualization, or graphical workloads are particularly at risk. Additionally, cloud providers and data centers in Europe that offer AMD GPU-backed virtual machines or containers could see increased risk if unpatched. The vulnerability's exploitation could lead to service outages, data breaches, or lateral movement within networks. Given the kernel-level nature of the flaw, successful exploitation could bypass many traditional security controls. The absence of known exploits currently provides a window for mitigation, but the ease of triggering the bug with a single ioctl call raises concerns about potential future exploitation by threat actors.
Mitigation Recommendations
European organizations should immediately audit their Linux systems to identify those running vulnerable kernel versions with AMDGPU drivers. Specific mitigation steps include: 1) Applying the latest Linux kernel updates as soon as patches addressing CVE-2024-26656 are released by the Linux kernel maintainers or their Linux distribution vendors. 2) Restricting access to /dev/dri/card* devices or other device files exposing the AMDGPU DRM interface to trusted users only, minimizing the risk of unprivileged exploitation. 3) Employing mandatory access controls (e.g., SELinux, AppArmor) to confine processes that require GPU access, limiting their ability to invoke the vulnerable ioctl. 4) Monitoring system logs for unusual ioctl calls or kernel warnings related to amdgpu or drm modules. 5) For environments where immediate patching is not feasible, consider disabling AMDGPU DRM modules temporarily if GPU functionality is not critical, or isolating affected systems from sensitive networks. 6) Engage with Linux distribution security advisories and subscribe to relevant security mailing lists to receive timely updates. 7) Conduct penetration testing or vulnerability scanning focused on kernel ioctl interfaces to detect potential exploitation attempts. These targeted mitigations go beyond generic advice by focusing on access control to the vulnerable interface and proactive monitoring.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2024-26656: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix use-after-free bug The bug can be triggered by sending a single amdgpu_gem_userptr_ioctl to the AMDGPU DRM driver on any ASICs with an invalid address and size. The bug was reported by Joonkyo Jung <joonkyoj@yonsei.ac.kr>. For example the following code: static void Syzkaller1(int fd) { struct drm_amdgpu_gem_userptr arg; int ret; arg.addr = 0xffffffffffff0000; arg.size = 0x80000000; /*2 Gb*/ arg.flags = 0x7; ret = drmIoctl(fd, 0xc1186451/*amdgpu_gem_userptr_ioctl*/, &arg); } Due to the address and size are not valid there is a failure in amdgpu_hmm_register->mmu_interval_notifier_insert->__mmu_interval_notifier_insert-> check_shl_overflow, but we even the amdgpu_hmm_register failure we still call amdgpu_hmm_unregister into amdgpu_gem_object_free which causes access to a bad address. The following stack is below when the issue is reproduced when Kazan is enabled: [ +0.000014] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020 [ +0.000009] RIP: 0010:mmu_interval_notifier_remove+0x327/0x340 [ +0.000017] Code: ff ff 49 89 44 24 08 48 b8 00 01 00 00 00 00 ad de 4c 89 f7 49 89 47 40 48 83 c0 22 49 89 47 48 e8 ce d1 2d 01 e9 32 ff ff ff <0f> 0b e9 16 ff ff ff 4c 89 ef e8 fa 14 b3 ff e9 36 ff ff ff e8 80 [ +0.000014] RSP: 0018:ffffc90002657988 EFLAGS: 00010246 [ +0.000013] RAX: 0000000000000000 RBX: 1ffff920004caf35 RCX: ffffffff8160565b [ +0.000011] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8881a9f78260 [ +0.000010] RBP: ffffc90002657a70 R08: 0000000000000001 R09: fffff520004caf25 [ +0.000010] R10: 0000000000000003 R11: ffffffff8161d1d6 R12: ffff88810e988c00 [ +0.000010] R13: ffff888126fb5a00 R14: ffff88810e988c0c R15: ffff8881a9f78260 [ +0.000011] FS: 00007ff9ec848540(0000) GS:ffff8883cc880000(0000) knlGS:0000000000000000 [ +0.000012] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ +0.000010] CR2: 000055b3f7e14328 CR3: 00000001b5770000 CR4: 0000000000350ef0 [ +0.000010] Call Trace: [ +0.000006] <TASK> [ +0.000007] ? show_regs+0x6a/0x80 [ +0.000018] ? __warn+0xa5/0x1b0 [ +0.000019] ? mmu_interval_notifier_remove+0x327/0x340 [ +0.000018] ? report_bug+0x24a/0x290 [ +0.000022] ? handle_bug+0x46/0x90 [ +0.000015] ? exc_invalid_op+0x19/0x50 [ +0.000016] ? asm_exc_invalid_op+0x1b/0x20 [ +0.000017] ? kasan_save_stack+0x26/0x50 [ +0.000017] ? mmu_interval_notifier_remove+0x23b/0x340 [ +0.000019] ? mmu_interval_notifier_remove+0x327/0x340 [ +0.000019] ? mmu_interval_notifier_remove+0x23b/0x340 [ +0.000020] ? __pfx_mmu_interval_notifier_remove+0x10/0x10 [ +0.000017] ? kasan_save_alloc_info+0x1e/0x30 [ +0.000018] ? srso_return_thunk+0x5/0x5f [ +0.000014] ? __kasan_kmalloc+0xb1/0xc0 [ +0.000018] ? srso_return_thunk+0x5/0x5f [ +0.000013] ? __kasan_check_read+0x11/0x20 [ +0.000020] amdgpu_hmm_unregister+0x34/0x50 [amdgpu] [ +0.004695] amdgpu_gem_object_free+0x66/0xa0 [amdgpu] [ +0.004534] ? __pfx_amdgpu_gem_object_free+0x10/0x10 [amdgpu] [ +0.004291] ? do_syscall_64+0x5f/0xe0 [ +0.000023] ? srso_return_thunk+0x5/0x5f [ +0.000017] drm_gem_object_free+0x3b/0x50 [drm] [ +0.000489] amdgpu_gem_userptr_ioctl+0x306/0x500 [amdgpu] [ +0.004295] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu] [ +0.004270] ? srso_return_thunk+0x5/0x5f [ +0.000014] ? __this_cpu_preempt_check+0x13/0x20 [ +0.000015] ? srso_return_thunk+0x5/0x5f [ +0.000013] ? sysvec_apic_timer_interrupt+0x57/0xc0 [ +0.000020] ? srso_return_thunk+0x5/0x5f [ +0.000014] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20 [ +0.000022] ? drm_ioctl_kernel+0x17b/0x1f0 [drm] [ +0.000496] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu] [ +0.004272] ? drm_ioctl_kernel+0x190/0x1f0 [drm] [ +0.000492] drm_ioctl_kernel+0x140/0x1f0 [drm] [ +0.000497] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu] [ +0.004297] ? __pfx_drm_ioctl_kernel+0x10/0x10 [d ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-26656 is a use-after-free vulnerability in the Linux kernel's AMDGPU Direct Rendering Manager (DRM) driver, specifically within the amdgpu_gem_userptr_ioctl interface. This vulnerability arises when a specially crafted ioctl call is made with invalid address and size parameters to the AMDGPU DRM driver on any AMD ASICs. The flaw is triggered during the handling of user pointer memory registration (amdgpu_hmm_register), where an invalid address and size cause a failure in the mmu_interval_notifier_insert function chain. Despite this failure, the driver erroneously calls amdgpu_hmm_unregister during the gem object free operation, leading to a use-after-free condition. This results in the kernel accessing freed memory, which can cause system instability, crashes (kernel panic), or potentially arbitrary code execution in kernel space if exploited further. The vulnerability was reported by a security researcher and affects Linux kernel versions containing the vulnerable commit hashes referenced. The issue is reproducible on systems with AMD GPUs, as demonstrated by a sample code snippet invoking the ioctl with invalid parameters. The kernel stack trace included shows the failure occurs in mmu_interval_notifier_remove, indicating the improper cleanup of memory interval notifiers. This vulnerability is critical because it involves kernel memory management and can be triggered by a single ioctl call, which may be accessible to unprivileged users depending on system configuration. No CVSS score has been assigned yet, but the technical details and potential impact suggest a high severity. There are no known exploits in the wild at the time of publication, and no official patches or mitigations are linked in the provided data, though it is expected that Linux kernel maintainers will address this promptly given the severity and nature of the bug.
Potential Impact
For European organizations, the impact of CVE-2024-26656 can be significant, especially for those relying on Linux servers or workstations equipped with AMD GPUs. The vulnerability could allow local attackers or malicious processes to cause denial of service through kernel crashes or potentially escalate privileges by executing arbitrary code in kernel mode. This could compromise the confidentiality, integrity, and availability of critical systems. Organizations in sectors such as finance, healthcare, government, and critical infrastructure that use AMD GPU-accelerated Linux systems for compute tasks, virtualization, or graphical workloads are particularly at risk. Additionally, cloud providers and data centers in Europe that offer AMD GPU-backed virtual machines or containers could see increased risk if unpatched. The vulnerability's exploitation could lead to service outages, data breaches, or lateral movement within networks. Given the kernel-level nature of the flaw, successful exploitation could bypass many traditional security controls. The absence of known exploits currently provides a window for mitigation, but the ease of triggering the bug with a single ioctl call raises concerns about potential future exploitation by threat actors.
Mitigation Recommendations
European organizations should immediately audit their Linux systems to identify those running vulnerable kernel versions with AMDGPU drivers. Specific mitigation steps include: 1) Applying the latest Linux kernel updates as soon as patches addressing CVE-2024-26656 are released by the Linux kernel maintainers or their Linux distribution vendors. 2) Restricting access to /dev/dri/card* devices or other device files exposing the AMDGPU DRM interface to trusted users only, minimizing the risk of unprivileged exploitation. 3) Employing mandatory access controls (e.g., SELinux, AppArmor) to confine processes that require GPU access, limiting their ability to invoke the vulnerable ioctl. 4) Monitoring system logs for unusual ioctl calls or kernel warnings related to amdgpu or drm modules. 5) For environments where immediate patching is not feasible, consider disabling AMDGPU DRM modules temporarily if GPU functionality is not critical, or isolating affected systems from sensitive networks. 6) Engage with Linux distribution security advisories and subscribe to relevant security mailing lists to receive timely updates. 7) Conduct penetration testing or vulnerability scanning focused on kernel ioctl interfaces to detect potential exploitation attempts. These targeted mitigations go beyond generic advice by focusing on access control to the vulnerable interface and proactive monitoring.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.145Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982bc4522896dcbe42a8
Added to database: 5/21/2025, 9:08:59 AM
Last enriched: 6/29/2025, 9:41:35 PM
Last updated: 8/12/2025, 8:33:50 AM
Views: 15
Related Threats
CVE-2025-9053: SQL Injection in projectworlds Travel Management System
MediumCVE-2025-9052: SQL Injection in projectworlds Travel Management System
MediumPlex warns users to patch security vulnerability immediately
HighCVE-2025-9019: Heap-based Buffer Overflow in tcpreplay
LowCVE-2025-9017: Cross Site Scripting in PHPGurukul Zoo Management System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.