CVE-2024-26695: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - Fix null pointer dereference in __sev_platform_shutdown_locked The SEV platform device can be shutdown with a null psp_master, e.g., using DEBUG_TEST_DRIVER_REMOVE. Found using KASAN: [ 137.148210] ccp 0000:23:00.1: enabling device (0000 -> 0002) [ 137.162647] ccp 0000:23:00.1: no command queues available [ 137.170598] ccp 0000:23:00.1: sev enabled [ 137.174645] ccp 0000:23:00.1: psp enabled [ 137.178890] general protection fault, probably for non-canonical address 0xdffffc000000001e: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN NOPTI [ 137.182693] KASAN: null-ptr-deref in range [0x00000000000000f0-0x00000000000000f7] [ 137.182693] CPU: 93 PID: 1 Comm: swapper/0 Not tainted 6.8.0-rc1+ #311 [ 137.182693] RIP: 0010:__sev_platform_shutdown_locked+0x51/0x180 [ 137.182693] Code: 08 80 3c 08 00 0f 85 0e 01 00 00 48 8b 1d 67 b6 01 08 48 b8 00 00 00 00 00 fc ff df 48 8d bb f0 00 00 00 48 89 f9 48 c1 e9 03 <80> 3c 01 00 0f 85 fe 00 00 00 48 8b 9b f0 00 00 00 48 85 db 74 2c [ 137.182693] RSP: 0018:ffffc900000cf9b0 EFLAGS: 00010216 [ 137.182693] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 000000000000001e [ 137.182693] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 00000000000000f0 [ 137.182693] RBP: ffffc900000cf9c8 R08: 0000000000000000 R09: fffffbfff58f5a66 [ 137.182693] R10: ffffc900000cf9c8 R11: ffffffffac7ad32f R12: ffff8881e5052c28 [ 137.182693] R13: ffff8881e5052c28 R14: ffff8881758e43e8 R15: ffffffffac64abf8 [ 137.182693] FS: 0000000000000000(0000) GS:ffff889de7000000(0000) knlGS:0000000000000000 [ 137.182693] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 137.182693] CR2: 0000000000000000 CR3: 0000001cf7c7e000 CR4: 0000000000350ef0 [ 137.182693] Call Trace: [ 137.182693] <TASK> [ 137.182693] ? show_regs+0x6c/0x80 [ 137.182693] ? __die_body+0x24/0x70 [ 137.182693] ? die_addr+0x4b/0x80 [ 137.182693] ? exc_general_protection+0x126/0x230 [ 137.182693] ? asm_exc_general_protection+0x2b/0x30 [ 137.182693] ? __sev_platform_shutdown_locked+0x51/0x180 [ 137.182693] sev_firmware_shutdown.isra.0+0x1e/0x80 [ 137.182693] sev_dev_destroy+0x49/0x100 [ 137.182693] psp_dev_destroy+0x47/0xb0 [ 137.182693] sp_destroy+0xbb/0x240 [ 137.182693] sp_pci_remove+0x45/0x60 [ 137.182693] pci_device_remove+0xaa/0x1d0 [ 137.182693] device_remove+0xc7/0x170 [ 137.182693] really_probe+0x374/0xbe0 [ 137.182693] ? srso_return_thunk+0x5/0x5f [ 137.182693] __driver_probe_device+0x199/0x460 [ 137.182693] driver_probe_device+0x4e/0xd0 [ 137.182693] __driver_attach+0x191/0x3d0 [ 137.182693] ? __pfx___driver_attach+0x10/0x10 [ 137.182693] bus_for_each_dev+0x100/0x190 [ 137.182693] ? __pfx_bus_for_each_dev+0x10/0x10 [ 137.182693] ? __kasan_check_read+0x15/0x20 [ 137.182693] ? srso_return_thunk+0x5/0x5f [ 137.182693] ? _raw_spin_unlock+0x27/0x50 [ 137.182693] driver_attach+0x41/0x60 [ 137.182693] bus_add_driver+0x2a8/0x580 [ 137.182693] driver_register+0x141/0x480 [ 137.182693] __pci_register_driver+0x1d6/0x2a0 [ 137.182693] ? srso_return_thunk+0x5/0x5f [ 137.182693] ? esrt_sysfs_init+0x1cd/0x5d0 [ 137.182693] ? __pfx_sp_mod_init+0x10/0x10 [ 137.182693] sp_pci_init+0x22/0x30 [ 137.182693] sp_mod_init+0x14/0x30 [ 137.182693] ? __pfx_sp_mod_init+0x10/0x10 [ 137.182693] do_one_initcall+0xd1/0x470 [ 137.182693] ? __pfx_do_one_initcall+0x10/0x10 [ 137.182693] ? parameq+0x80/0xf0 [ 137.182693] ? srso_return_thunk+0x5/0x5f [ 137.182693] ? __kmalloc+0x3b0/0x4e0 [ 137.182693] ? kernel_init_freeable+0x92d/0x1050 [ 137.182693] ? kasan_populate_vmalloc_pte+0x171/0x190 [ 137.182693] ? srso_return_thunk+0x5/0x5f [ 137.182693] kernel_init_freeable+0xa64/0x1050 [ 137.182693] ? __pfx_kernel_init+0x10/0x10 [ 137.182693] kernel_init+0x24/0x160 [ 137.182693] ? __switch_to_asm+0x3e/0x70 [ 137.182693] ret_from_fork+0x40/0x80 [ 137.182693] ? __pfx_kernel_init+0x1 ---truncated---
AI Analysis
Technical Summary
CVE-2024-26695 is a vulnerability identified in the Linux kernel's crypto subsystem, specifically within the AMD SEV (Secure Encrypted Virtualization) platform device driver component, known as ccp. The flaw is a null pointer dereference occurring in the function __sev_platform_shutdown_locked. This function is responsible for shutting down the SEV platform device, but under certain conditions, such as when the psp_master pointer is null (e.g., triggered by DEBUG_TEST_DRIVER_REMOVE), the code attempts to dereference this null pointer, leading to a general protection fault and kernel crash. The vulnerability was discovered using Kernel Address Sanitizer (KASAN), which detected the null pointer dereference during device shutdown sequences. The detailed kernel logs show the crash occurs during the shutdown process of the SEV platform device, which is part of AMD's PSP (Platform Security Processor) integration for secure virtualization. The impact is a denial of service (DoS) condition caused by a kernel panic or crash, which could be triggered by an attacker with the ability to invoke device shutdown operations or unload the driver. The vulnerability affects multiple Linux kernel versions as indicated by the affected commit hashes. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The vulnerability requires local privileges to trigger, as it involves device driver operations and kernel module management. The flaw does not appear to allow privilege escalation or arbitrary code execution directly but can cause system instability and availability issues on affected systems running vulnerable Linux kernels with AMD SEV support enabled.
Potential Impact
For European organizations, the primary impact of CVE-2024-26695 is the potential for denial of service on Linux systems utilizing AMD SEV technology. This is particularly relevant for enterprises and cloud providers that deploy virtualized environments leveraging AMD SEV for secure VM isolation. A successful exploitation could lead to kernel crashes, causing system downtime, disruption of critical services, and potential data unavailability. Organizations relying on Linux servers for infrastructure, especially those using AMD EPYC processors with SEV features, may face operational interruptions. While this vulnerability does not directly compromise confidentiality or integrity, the availability impact could affect business continuity, especially in sectors like finance, healthcare, and critical infrastructure where uptime is crucial. Additionally, the need for local access to trigger the vulnerability limits remote exploitation risk but does not eliminate insider threat or attacker scenarios where local code execution is already achieved. The absence of known exploits reduces immediate risk but patching remains essential to prevent future exploitation attempts.
Mitigation Recommendations
To mitigate CVE-2024-26695, European organizations should: 1) Apply the latest Linux kernel updates and patches that address this vulnerability as soon as they become available from trusted Linux distributions or kernel maintainers. 2) Audit and restrict access to systems with AMD SEV enabled, ensuring that only authorized personnel have local administrative privileges capable of triggering device shutdown or driver unload operations. 3) Implement monitoring and alerting for unusual kernel module unload or device shutdown activities that could indicate exploitation attempts. 4) For virtualized environments, consider temporarily disabling AMD SEV support if immediate patching is not feasible and the risk of local exploitation is high. 5) Conduct thorough testing of kernel updates in staging environments to ensure stability before deployment in production, given the critical nature of kernel components. 6) Maintain robust endpoint security controls to prevent unauthorized local access, including the use of multi-factor authentication and least privilege principles. 7) Engage with hardware and software vendors to receive timely security advisories and patches related to AMD SEV and Linux kernel vulnerabilities.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Ireland, Italy, Spain, Poland
CVE-2024-26695: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - Fix null pointer dereference in __sev_platform_shutdown_locked The SEV platform device can be shutdown with a null psp_master, e.g., using DEBUG_TEST_DRIVER_REMOVE. Found using KASAN: [ 137.148210] ccp 0000:23:00.1: enabling device (0000 -> 0002) [ 137.162647] ccp 0000:23:00.1: no command queues available [ 137.170598] ccp 0000:23:00.1: sev enabled [ 137.174645] ccp 0000:23:00.1: psp enabled [ 137.178890] general protection fault, probably for non-canonical address 0xdffffc000000001e: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN NOPTI [ 137.182693] KASAN: null-ptr-deref in range [0x00000000000000f0-0x00000000000000f7] [ 137.182693] CPU: 93 PID: 1 Comm: swapper/0 Not tainted 6.8.0-rc1+ #311 [ 137.182693] RIP: 0010:__sev_platform_shutdown_locked+0x51/0x180 [ 137.182693] Code: 08 80 3c 08 00 0f 85 0e 01 00 00 48 8b 1d 67 b6 01 08 48 b8 00 00 00 00 00 fc ff df 48 8d bb f0 00 00 00 48 89 f9 48 c1 e9 03 <80> 3c 01 00 0f 85 fe 00 00 00 48 8b 9b f0 00 00 00 48 85 db 74 2c [ 137.182693] RSP: 0018:ffffc900000cf9b0 EFLAGS: 00010216 [ 137.182693] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 000000000000001e [ 137.182693] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 00000000000000f0 [ 137.182693] RBP: ffffc900000cf9c8 R08: 0000000000000000 R09: fffffbfff58f5a66 [ 137.182693] R10: ffffc900000cf9c8 R11: ffffffffac7ad32f R12: ffff8881e5052c28 [ 137.182693] R13: ffff8881e5052c28 R14: ffff8881758e43e8 R15: ffffffffac64abf8 [ 137.182693] FS: 0000000000000000(0000) GS:ffff889de7000000(0000) knlGS:0000000000000000 [ 137.182693] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 137.182693] CR2: 0000000000000000 CR3: 0000001cf7c7e000 CR4: 0000000000350ef0 [ 137.182693] Call Trace: [ 137.182693] <TASK> [ 137.182693] ? show_regs+0x6c/0x80 [ 137.182693] ? __die_body+0x24/0x70 [ 137.182693] ? die_addr+0x4b/0x80 [ 137.182693] ? exc_general_protection+0x126/0x230 [ 137.182693] ? asm_exc_general_protection+0x2b/0x30 [ 137.182693] ? __sev_platform_shutdown_locked+0x51/0x180 [ 137.182693] sev_firmware_shutdown.isra.0+0x1e/0x80 [ 137.182693] sev_dev_destroy+0x49/0x100 [ 137.182693] psp_dev_destroy+0x47/0xb0 [ 137.182693] sp_destroy+0xbb/0x240 [ 137.182693] sp_pci_remove+0x45/0x60 [ 137.182693] pci_device_remove+0xaa/0x1d0 [ 137.182693] device_remove+0xc7/0x170 [ 137.182693] really_probe+0x374/0xbe0 [ 137.182693] ? srso_return_thunk+0x5/0x5f [ 137.182693] __driver_probe_device+0x199/0x460 [ 137.182693] driver_probe_device+0x4e/0xd0 [ 137.182693] __driver_attach+0x191/0x3d0 [ 137.182693] ? __pfx___driver_attach+0x10/0x10 [ 137.182693] bus_for_each_dev+0x100/0x190 [ 137.182693] ? __pfx_bus_for_each_dev+0x10/0x10 [ 137.182693] ? __kasan_check_read+0x15/0x20 [ 137.182693] ? srso_return_thunk+0x5/0x5f [ 137.182693] ? _raw_spin_unlock+0x27/0x50 [ 137.182693] driver_attach+0x41/0x60 [ 137.182693] bus_add_driver+0x2a8/0x580 [ 137.182693] driver_register+0x141/0x480 [ 137.182693] __pci_register_driver+0x1d6/0x2a0 [ 137.182693] ? srso_return_thunk+0x5/0x5f [ 137.182693] ? esrt_sysfs_init+0x1cd/0x5d0 [ 137.182693] ? __pfx_sp_mod_init+0x10/0x10 [ 137.182693] sp_pci_init+0x22/0x30 [ 137.182693] sp_mod_init+0x14/0x30 [ 137.182693] ? __pfx_sp_mod_init+0x10/0x10 [ 137.182693] do_one_initcall+0xd1/0x470 [ 137.182693] ? __pfx_do_one_initcall+0x10/0x10 [ 137.182693] ? parameq+0x80/0xf0 [ 137.182693] ? srso_return_thunk+0x5/0x5f [ 137.182693] ? __kmalloc+0x3b0/0x4e0 [ 137.182693] ? kernel_init_freeable+0x92d/0x1050 [ 137.182693] ? kasan_populate_vmalloc_pte+0x171/0x190 [ 137.182693] ? srso_return_thunk+0x5/0x5f [ 137.182693] kernel_init_freeable+0xa64/0x1050 [ 137.182693] ? __pfx_kernel_init+0x10/0x10 [ 137.182693] kernel_init+0x24/0x160 [ 137.182693] ? __switch_to_asm+0x3e/0x70 [ 137.182693] ret_from_fork+0x40/0x80 [ 137.182693] ? __pfx_kernel_init+0x1 ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-26695 is a vulnerability identified in the Linux kernel's crypto subsystem, specifically within the AMD SEV (Secure Encrypted Virtualization) platform device driver component, known as ccp. The flaw is a null pointer dereference occurring in the function __sev_platform_shutdown_locked. This function is responsible for shutting down the SEV platform device, but under certain conditions, such as when the psp_master pointer is null (e.g., triggered by DEBUG_TEST_DRIVER_REMOVE), the code attempts to dereference this null pointer, leading to a general protection fault and kernel crash. The vulnerability was discovered using Kernel Address Sanitizer (KASAN), which detected the null pointer dereference during device shutdown sequences. The detailed kernel logs show the crash occurs during the shutdown process of the SEV platform device, which is part of AMD's PSP (Platform Security Processor) integration for secure virtualization. The impact is a denial of service (DoS) condition caused by a kernel panic or crash, which could be triggered by an attacker with the ability to invoke device shutdown operations or unload the driver. The vulnerability affects multiple Linux kernel versions as indicated by the affected commit hashes. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The vulnerability requires local privileges to trigger, as it involves device driver operations and kernel module management. The flaw does not appear to allow privilege escalation or arbitrary code execution directly but can cause system instability and availability issues on affected systems running vulnerable Linux kernels with AMD SEV support enabled.
Potential Impact
For European organizations, the primary impact of CVE-2024-26695 is the potential for denial of service on Linux systems utilizing AMD SEV technology. This is particularly relevant for enterprises and cloud providers that deploy virtualized environments leveraging AMD SEV for secure VM isolation. A successful exploitation could lead to kernel crashes, causing system downtime, disruption of critical services, and potential data unavailability. Organizations relying on Linux servers for infrastructure, especially those using AMD EPYC processors with SEV features, may face operational interruptions. While this vulnerability does not directly compromise confidentiality or integrity, the availability impact could affect business continuity, especially in sectors like finance, healthcare, and critical infrastructure where uptime is crucial. Additionally, the need for local access to trigger the vulnerability limits remote exploitation risk but does not eliminate insider threat or attacker scenarios where local code execution is already achieved. The absence of known exploits reduces immediate risk but patching remains essential to prevent future exploitation attempts.
Mitigation Recommendations
To mitigate CVE-2024-26695, European organizations should: 1) Apply the latest Linux kernel updates and patches that address this vulnerability as soon as they become available from trusted Linux distributions or kernel maintainers. 2) Audit and restrict access to systems with AMD SEV enabled, ensuring that only authorized personnel have local administrative privileges capable of triggering device shutdown or driver unload operations. 3) Implement monitoring and alerting for unusual kernel module unload or device shutdown activities that could indicate exploitation attempts. 4) For virtualized environments, consider temporarily disabling AMD SEV support if immediate patching is not feasible and the risk of local exploitation is high. 5) Conduct thorough testing of kernel updates in staging environments to ensure stability before deployment in production, given the critical nature of kernel components. 6) Maintain robust endpoint security controls to prevent unauthorized local access, including the use of multi-factor authentication and least privilege principles. 7) Engage with hardware and software vendors to receive timely security advisories and patches related to AMD SEV and Linux kernel vulnerabilities.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.156Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9821c4522896dcbdda31
Added to database: 5/21/2025, 9:08:49 AM
Last enriched: 6/28/2025, 2:25:59 AM
Last updated: 7/29/2025, 5:03:07 AM
Views: 11
Related Threats
CVE-2025-7353: CWE-1188: Initialization of a Resource with an Insecure Default in Rockwell Automation 1756-EN2T/D
CriticalCVE-2025-55675: CWE-285 Improper Authorization in Apache Software Foundation Apache Superset
MediumCVE-2025-55674: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Apache Software Foundation Apache Superset
MediumCVE-2025-55673: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in Apache Software Foundation Apache Superset
MediumCVE-2025-55672: CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Apache Software Foundation Apache Superset
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.