CVE-2024-26687: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: xen/events: close evtchn after mapping cleanup shutdown_pirq and startup_pirq are not taking the irq_mapping_update_lock because they can't due to lock inversion. Both are called with the irq_desc->lock being taking. The lock order, however, is first irq_mapping_update_lock and then irq_desc->lock. This opens multiple races: - shutdown_pirq can be interrupted by a function that allocates an event channel: CPU0 CPU1 shutdown_pirq { xen_evtchn_close(e) __startup_pirq { EVTCHNOP_bind_pirq -> returns just freed evtchn e set_evtchn_to_irq(e, irq) } xen_irq_info_cleanup() { set_evtchn_to_irq(e, -1) } } Assume here event channel e refers here to the same event channel number. After this race the evtchn_to_irq mapping for e is invalid (-1). - __startup_pirq races with __unbind_from_irq in a similar way. Because __startup_pirq doesn't take irq_mapping_update_lock it can grab the evtchn that __unbind_from_irq is currently freeing and cleaning up. In this case even though the event channel is allocated, its mapping can be unset in evtchn_to_irq. The fix is to first cleanup the mappings and then close the event channel. In this way, when an event channel gets allocated it's potential previous evtchn_to_irq mappings are guaranteed to be unset already. This is also the reverse order of the allocation where first the event channel is allocated and then the mappings are setup. On a 5.10 kernel prior to commit 3fcdaf3d7634 ("xen/events: modify internal [un]bind interfaces"), we hit a BUG like the following during probing of NVMe devices. The issue is that during nvme_setup_io_queues, pci_free_irq is called for every device which results in a call to shutdown_pirq. With many nvme devices it's therefore likely to hit this race during boot because there will be multiple calls to shutdown_pirq and startup_pirq are running potentially in parallel. ------------[ cut here ]------------ blkfront: xvda: barrier or flush: disabled; persistent grants: enabled; indirect descriptors: enabled; bounce buffer: enabled kernel BUG at drivers/xen/events/events_base.c:499! invalid opcode: 0000 [#1] SMP PTI CPU: 44 PID: 375 Comm: kworker/u257:23 Not tainted 5.10.201-191.748.amzn2.x86_64 #1 Hardware name: Xen HVM domU, BIOS 4.11.amazon 08/24/2006 Workqueue: nvme-reset-wq nvme_reset_work RIP: 0010:bind_evtchn_to_cpu+0xdf/0xf0 Code: 5d 41 5e c3 cc cc cc cc 44 89 f7 e8 2b 55 ad ff 49 89 c5 48 85 c0 0f 84 64 ff ff ff 4c 8b 68 30 41 83 fe ff 0f 85 60 ff ff ff <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 0f 1f 44 00 00 RSP: 0000:ffffc9000d533b08 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000006 RDX: 0000000000000028 RSI: 00000000ffffffff RDI: 00000000ffffffff RBP: ffff888107419680 R08: 0000000000000000 R09: ffffffff82d72b00 R10: 0000000000000000 R11: 0000000000000000 R12: 00000000000001ed R13: 0000000000000000 R14: 00000000ffffffff R15: 0000000000000002 FS: 0000000000000000(0000) GS:ffff88bc8b500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000002610001 CR4: 00000000001706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? show_trace_log_lvl+0x1c1/0x2d9 ? show_trace_log_lvl+0x1c1/0x2d9 ? set_affinity_irq+0xdc/0x1c0 ? __die_body.cold+0x8/0xd ? die+0x2b/0x50 ? do_trap+0x90/0x110 ? bind_evtchn_to_cpu+0xdf/0xf0 ? do_error_trap+0x65/0x80 ? bind_evtchn_to_cpu+0xdf/0xf0 ? exc_invalid_op+0x4e/0x70 ? bind_evtchn_to_cpu+0xdf/0xf0 ? asm_exc_invalid_op+0x12/0x20 ? bind_evtchn_to_cpu+0xdf/0x ---truncated---
AI Analysis
Technical Summary
CVE-2024-26687 is a concurrency vulnerability in the Linux kernel's Xen event channel handling code, specifically affecting the shutdown and startup of physical interrupts (pirq) in Xen virtualized environments. The root cause is a lock inversion issue where shutdown_pirq and startup_pirq functions do not acquire the irq_mapping_update_lock due to potential deadlocks, but are called while holding irq_desc->lock. The intended lock order is irq_mapping_update_lock followed by irq_desc->lock, but this order is violated, leading to multiple race conditions. These races occur when shutdown_pirq can be interrupted by a concurrent allocation of an event channel in startup_pirq, causing the evtchn_to_irq mapping to become invalid (-1). Similarly, startup_pirq races with __unbind_from_irq, potentially causing the event channel mapping to be unset even though the channel is allocated. This inconsistency can lead to kernel bugs and crashes, as demonstrated by a kernel BUG during NVMe device probing on affected 5.10 kernels prior to commit 3fcdaf3d7634. The bug manifests as an invalid opcode exception in bind_evtchn_to_cpu due to corrupted event channel to IRQ mappings. The fix involves reversing the order of cleanup and closure of event channels to ensure mappings are cleared before channels are closed, preventing stale or invalid mappings during concurrent operations. This vulnerability affects Linux kernels using Xen virtualization, particularly versions before the fix in commit 3fcdaf3d7634. It is triggered under conditions of concurrent shutdown and startup of physical interrupts, such as during NVMe device initialization with multiple devices. No known exploits are reported in the wild yet, but the issue can cause system instability and crashes in affected environments.
Potential Impact
For European organizations running Linux kernels with Xen virtualization, especially those using affected 5.10 kernel versions or similar, this vulnerability poses a risk of system instability and unexpected kernel crashes. This can lead to denial of service conditions impacting availability of critical services hosted on Xen virtual machines. Organizations relying on NVMe storage devices in Xen environments may be particularly vulnerable during device initialization or reconfiguration, potentially causing boot failures or runtime crashes. The impact extends to cloud service providers and enterprises using Xen-based virtualization for production workloads, as kernel crashes can disrupt hosted applications and services. While this vulnerability does not directly lead to privilege escalation or data leakage, the resulting denial of service and system instability can affect business continuity and operational reliability. European sectors with high reliance on virtualized infrastructure, such as finance, telecommunications, and government, could face significant operational disruptions if unpatched. Additionally, the complexity of the issue and its manifestation during concurrent interrupt handling complicates detection and troubleshooting, increasing risk of prolonged outages.
Mitigation Recommendations
1. Upgrade Linux kernels to versions including the fix from commit 3fcdaf3d7634 or later, ensuring the corrected lock acquisition order and event channel cleanup are in place. 2. For organizations unable to immediately upgrade, apply backported patches from trusted Linux distribution vendors addressing this specific Xen events race condition. 3. Limit concurrent shutdown and startup operations of physical interrupts where possible, especially during NVMe device initialization, to reduce race window exposure. 4. Monitor kernel logs for signs of event channel mapping inconsistencies or kernel BUG messages related to bind_evtchn_to_cpu or xen/events. 5. Implement robust testing and validation of Xen virtualized environments after kernel upgrades to confirm stability under heavy device initialization workloads. 6. Coordinate with hardware and virtualization platform vendors to ensure compatibility and receive timely security updates. 7. Employ redundancy and failover mechanisms in critical virtualized services to mitigate impact of potential kernel crashes. 8. Document and rehearse incident response procedures for Xen host crashes to minimize downtime and data loss.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Ireland, Italy, Spain, Poland
CVE-2024-26687: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: xen/events: close evtchn after mapping cleanup shutdown_pirq and startup_pirq are not taking the irq_mapping_update_lock because they can't due to lock inversion. Both are called with the irq_desc->lock being taking. The lock order, however, is first irq_mapping_update_lock and then irq_desc->lock. This opens multiple races: - shutdown_pirq can be interrupted by a function that allocates an event channel: CPU0 CPU1 shutdown_pirq { xen_evtchn_close(e) __startup_pirq { EVTCHNOP_bind_pirq -> returns just freed evtchn e set_evtchn_to_irq(e, irq) } xen_irq_info_cleanup() { set_evtchn_to_irq(e, -1) } } Assume here event channel e refers here to the same event channel number. After this race the evtchn_to_irq mapping for e is invalid (-1). - __startup_pirq races with __unbind_from_irq in a similar way. Because __startup_pirq doesn't take irq_mapping_update_lock it can grab the evtchn that __unbind_from_irq is currently freeing and cleaning up. In this case even though the event channel is allocated, its mapping can be unset in evtchn_to_irq. The fix is to first cleanup the mappings and then close the event channel. In this way, when an event channel gets allocated it's potential previous evtchn_to_irq mappings are guaranteed to be unset already. This is also the reverse order of the allocation where first the event channel is allocated and then the mappings are setup. On a 5.10 kernel prior to commit 3fcdaf3d7634 ("xen/events: modify internal [un]bind interfaces"), we hit a BUG like the following during probing of NVMe devices. The issue is that during nvme_setup_io_queues, pci_free_irq is called for every device which results in a call to shutdown_pirq. With many nvme devices it's therefore likely to hit this race during boot because there will be multiple calls to shutdown_pirq and startup_pirq are running potentially in parallel. ------------[ cut here ]------------ blkfront: xvda: barrier or flush: disabled; persistent grants: enabled; indirect descriptors: enabled; bounce buffer: enabled kernel BUG at drivers/xen/events/events_base.c:499! invalid opcode: 0000 [#1] SMP PTI CPU: 44 PID: 375 Comm: kworker/u257:23 Not tainted 5.10.201-191.748.amzn2.x86_64 #1 Hardware name: Xen HVM domU, BIOS 4.11.amazon 08/24/2006 Workqueue: nvme-reset-wq nvme_reset_work RIP: 0010:bind_evtchn_to_cpu+0xdf/0xf0 Code: 5d 41 5e c3 cc cc cc cc 44 89 f7 e8 2b 55 ad ff 49 89 c5 48 85 c0 0f 84 64 ff ff ff 4c 8b 68 30 41 83 fe ff 0f 85 60 ff ff ff <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 0f 1f 44 00 00 RSP: 0000:ffffc9000d533b08 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000006 RDX: 0000000000000028 RSI: 00000000ffffffff RDI: 00000000ffffffff RBP: ffff888107419680 R08: 0000000000000000 R09: ffffffff82d72b00 R10: 0000000000000000 R11: 0000000000000000 R12: 00000000000001ed R13: 0000000000000000 R14: 00000000ffffffff R15: 0000000000000002 FS: 0000000000000000(0000) GS:ffff88bc8b500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000002610001 CR4: 00000000001706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? show_trace_log_lvl+0x1c1/0x2d9 ? show_trace_log_lvl+0x1c1/0x2d9 ? set_affinity_irq+0xdc/0x1c0 ? __die_body.cold+0x8/0xd ? die+0x2b/0x50 ? do_trap+0x90/0x110 ? bind_evtchn_to_cpu+0xdf/0xf0 ? do_error_trap+0x65/0x80 ? bind_evtchn_to_cpu+0xdf/0xf0 ? exc_invalid_op+0x4e/0x70 ? bind_evtchn_to_cpu+0xdf/0xf0 ? asm_exc_invalid_op+0x12/0x20 ? bind_evtchn_to_cpu+0xdf/0x ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-26687 is a concurrency vulnerability in the Linux kernel's Xen event channel handling code, specifically affecting the shutdown and startup of physical interrupts (pirq) in Xen virtualized environments. The root cause is a lock inversion issue where shutdown_pirq and startup_pirq functions do not acquire the irq_mapping_update_lock due to potential deadlocks, but are called while holding irq_desc->lock. The intended lock order is irq_mapping_update_lock followed by irq_desc->lock, but this order is violated, leading to multiple race conditions. These races occur when shutdown_pirq can be interrupted by a concurrent allocation of an event channel in startup_pirq, causing the evtchn_to_irq mapping to become invalid (-1). Similarly, startup_pirq races with __unbind_from_irq, potentially causing the event channel mapping to be unset even though the channel is allocated. This inconsistency can lead to kernel bugs and crashes, as demonstrated by a kernel BUG during NVMe device probing on affected 5.10 kernels prior to commit 3fcdaf3d7634. The bug manifests as an invalid opcode exception in bind_evtchn_to_cpu due to corrupted event channel to IRQ mappings. The fix involves reversing the order of cleanup and closure of event channels to ensure mappings are cleared before channels are closed, preventing stale or invalid mappings during concurrent operations. This vulnerability affects Linux kernels using Xen virtualization, particularly versions before the fix in commit 3fcdaf3d7634. It is triggered under conditions of concurrent shutdown and startup of physical interrupts, such as during NVMe device initialization with multiple devices. No known exploits are reported in the wild yet, but the issue can cause system instability and crashes in affected environments.
Potential Impact
For European organizations running Linux kernels with Xen virtualization, especially those using affected 5.10 kernel versions or similar, this vulnerability poses a risk of system instability and unexpected kernel crashes. This can lead to denial of service conditions impacting availability of critical services hosted on Xen virtual machines. Organizations relying on NVMe storage devices in Xen environments may be particularly vulnerable during device initialization or reconfiguration, potentially causing boot failures or runtime crashes. The impact extends to cloud service providers and enterprises using Xen-based virtualization for production workloads, as kernel crashes can disrupt hosted applications and services. While this vulnerability does not directly lead to privilege escalation or data leakage, the resulting denial of service and system instability can affect business continuity and operational reliability. European sectors with high reliance on virtualized infrastructure, such as finance, telecommunications, and government, could face significant operational disruptions if unpatched. Additionally, the complexity of the issue and its manifestation during concurrent interrupt handling complicates detection and troubleshooting, increasing risk of prolonged outages.
Mitigation Recommendations
1. Upgrade Linux kernels to versions including the fix from commit 3fcdaf3d7634 or later, ensuring the corrected lock acquisition order and event channel cleanup are in place. 2. For organizations unable to immediately upgrade, apply backported patches from trusted Linux distribution vendors addressing this specific Xen events race condition. 3. Limit concurrent shutdown and startup operations of physical interrupts where possible, especially during NVMe device initialization, to reduce race window exposure. 4. Monitor kernel logs for signs of event channel mapping inconsistencies or kernel BUG messages related to bind_evtchn_to_cpu or xen/events. 5. Implement robust testing and validation of Xen virtualized environments after kernel upgrades to confirm stability under heavy device initialization workloads. 6. Coordinate with hardware and virtualization platform vendors to ensure compatibility and receive timely security updates. 7. Employ redundancy and failover mechanisms in critical virtualized services to mitigate impact of potential kernel crashes. 8. Document and rehearse incident response procedures for Xen host crashes to minimize downtime and data loss.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.154Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ac4522896dcbe3808
Added to database: 5/21/2025, 9:08:58 AM
Last enriched: 6/29/2025, 5:24:56 PM
Last updated: 8/8/2025, 7:46:05 AM
Views: 13
Related Threats
CVE-2025-7353: CWE-1188: Initialization of a Resource with an Insecure Default in Rockwell Automation 1756-EN2T/D
CriticalCVE-2025-55675: CWE-285 Improper Authorization in Apache Software Foundation Apache Superset
MediumCVE-2025-55674: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Apache Software Foundation Apache Superset
MediumCVE-2025-55673: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in Apache Software Foundation Apache Superset
MediumCVE-2025-55672: CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Apache Software Foundation Apache Superset
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.