CVE-2024-26703: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: tracing/timerlat: Move hrtimer_init to timerlat_fd open() Currently, the timerlat's hrtimer is initialized at the first read of timerlat_fd, and destroyed at close(). It works, but it causes an error if the user program open() and close() the file without reading. Here's an example: # echo NO_OSNOISE_WORKLOAD > /sys/kernel/debug/tracing/osnoise/options # echo timerlat > /sys/kernel/debug/tracing/current_tracer # cat <<EOF > ./timerlat_load.py # !/usr/bin/env python3 timerlat_fd = open("/sys/kernel/tracing/osnoise/per_cpu/cpu0/timerlat_fd", 'r') timerlat_fd.close(); EOF # ./taskset -c 0 ./timerlat_load.py <BOOM> BUG: kernel NULL pointer dereference, address: 0000000000000010 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 2673 Comm: python3 Not tainted 6.6.13-200.fc39.x86_64 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39 04/01/2014 RIP: 0010:hrtimer_active+0xd/0x50 Code: 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 48 8b 57 30 <8b> 42 10 a8 01 74 09 f3 90 8b 42 10 a8 01 75 f7 80 7f 38 00 75 1d RSP: 0018:ffffb031009b7e10 EFLAGS: 00010286 RAX: 000000000002db00 RBX: ffff9118f786db08 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff9117a0e64400 RDI: ffff9118f786db08 RBP: ffff9118f786db80 R08: ffff9117a0ddd420 R09: ffff9117804d4f70 R10: 0000000000000000 R11: 0000000000000000 R12: ffff9118f786db08 R13: ffff91178fdd5e20 R14: ffff9117840978c0 R15: 0000000000000000 FS: 00007f2ffbab1740(0000) GS:ffff9118f7840000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 00000001b402e000 CR4: 0000000000750ee0 PKRU: 55555554 Call Trace: <TASK> ? __die+0x23/0x70 ? page_fault_oops+0x171/0x4e0 ? srso_alias_return_thunk+0x5/0x7f ? avc_has_extended_perms+0x237/0x520 ? exc_page_fault+0x7f/0x180 ? asm_exc_page_fault+0x26/0x30 ? hrtimer_active+0xd/0x50 hrtimer_cancel+0x15/0x40 timerlat_fd_release+0x48/0xe0 __fput+0xf5/0x290 __x64_sys_close+0x3d/0x80 do_syscall_64+0x60/0x90 ? srso_alias_return_thunk+0x5/0x7f ? __x64_sys_ioctl+0x72/0xd0 ? srso_alias_return_thunk+0x5/0x7f ? syscall_exit_to_user_mode+0x2b/0x40 ? srso_alias_return_thunk+0x5/0x7f ? do_syscall_64+0x6c/0x90 ? srso_alias_return_thunk+0x5/0x7f ? exit_to_user_mode_prepare+0x142/0x1f0 ? srso_alias_return_thunk+0x5/0x7f ? syscall_exit_to_user_mode+0x2b/0x40 ? srso_alias_return_thunk+0x5/0x7f ? do_syscall_64+0x6c/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 RIP: 0033:0x7f2ffb321594 Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 80 3d d5 cd 0d 00 00 74 13 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d RSP: 002b:00007ffe8d8eef18 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 00007f2ffba4e668 RCX: 00007f2ffb321594 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007ffe8d8eef40 R08: 0000000000000000 R09: 0000000000000000 R10: 55c926e3167eae79 R11: 0000000000000202 R12: 0000000000000003 R13: 00007ffe8d8ef030 R14: 0000000000000000 R15: 00007f2ffba4e668 </TASK> CR2: 0000000000000010 ---[ end trace 0000000000000000 ]--- Move hrtimer_init to timerlat_fd open() to avoid this problem.
AI Analysis
Technical Summary
CVE-2024-26703 is a vulnerability in the Linux kernel's tracing subsystem, specifically related to the timerlat tracer's handling of high-resolution timers (hrtimers). The issue arises because the hrtimer initialization (hrtimer_init) is deferred until the first read operation on the timerlat file descriptor (timerlat_fd), and the hrtimer is destroyed upon closing the descriptor. This design causes a kernel NULL pointer dereference if a user program opens and closes the timerlat_fd without performing a read. The dereference occurs because the hrtimer is not initialized before the close operation attempts to cancel or clean it up, leading to an invalid memory access and a kernel oops (crash). The vulnerability is demonstrated by a simple Python script that opens and immediately closes the timerlat_fd without reading, triggering a kernel panic. The root cause is that the initialization logic was placed in the read path rather than the open path of the file descriptor. The fix involves moving the hrtimer initialization to the open() function of timerlat_fd, ensuring the timer is properly set up before any close operation can occur. This prevents the NULL pointer dereference and stabilizes the kernel behavior when interacting with the timerlat tracer. The vulnerability affects Linux kernel versions around 6.6.13-200.fc39.x86_64 and similar builds where this tracing code is present. There are no known exploits in the wild, and no CVSS score has been assigned yet. The issue is a kernel crash triggered by local user-space programs interacting with debugfs tracing files, which could be exploited for denial of service or potentially leveraged in privilege escalation scenarios if combined with other vulnerabilities.
Potential Impact
For European organizations, this vulnerability poses a risk primarily in environments running affected Linux kernel versions, especially those using the tracing subsystem for performance monitoring or debugging. The impact is a potential denial of service (DoS) through kernel crashes triggered by local users or processes that can access the tracing debugfs interface. In multi-tenant or shared environments such as cloud providers, hosting services, or container platforms, an unprivileged user could cause system instability or downtime by exploiting this flaw. While direct remote exploitation is unlikely due to the need for local access and interaction with debugfs, the vulnerability could be leveraged in combination with other flaws to escalate privileges or disrupt critical infrastructure. European organizations relying on Linux servers for critical services, including telecommunications, finance, healthcare, and government, may experience service interruptions or require emergency patching. The vulnerability also affects development and testing environments where tracing tools are used, potentially impacting operational continuity. Given the widespread use of Linux in European data centers and enterprises, the vulnerability's impact is significant in terms of availability and operational reliability.
Mitigation Recommendations
1. Apply the official Linux kernel patch that moves the hrtimer initialization to the open() function of timerlat_fd as soon as it becomes available. This is the definitive fix to prevent the NULL pointer dereference. 2. Until patched, restrict access to the debugfs tracing filesystem, especially the timerlat tracer files, to trusted and privileged users only. Use appropriate Linux security modules (e.g., SELinux, AppArmor) or mount options to limit exposure. 3. Monitor kernel logs for oops or crash reports related to timerlat_fd or tracing subsystem to detect exploitation attempts. 4. In containerized or multi-tenant environments, isolate tracing interfaces or disable the timerlat tracer if not required. 5. Educate system administrators and developers about safe usage patterns of tracing tools, avoiding open/close operations without reads on timerlat_fd. 6. Implement robust kernel crash recovery and automated patch management processes to rapidly deploy fixes across affected systems. 7. Consider using kernel live patching solutions where available to minimize downtime during remediation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-26703: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: tracing/timerlat: Move hrtimer_init to timerlat_fd open() Currently, the timerlat's hrtimer is initialized at the first read of timerlat_fd, and destroyed at close(). It works, but it causes an error if the user program open() and close() the file without reading. Here's an example: # echo NO_OSNOISE_WORKLOAD > /sys/kernel/debug/tracing/osnoise/options # echo timerlat > /sys/kernel/debug/tracing/current_tracer # cat <<EOF > ./timerlat_load.py # !/usr/bin/env python3 timerlat_fd = open("/sys/kernel/tracing/osnoise/per_cpu/cpu0/timerlat_fd", 'r') timerlat_fd.close(); EOF # ./taskset -c 0 ./timerlat_load.py <BOOM> BUG: kernel NULL pointer dereference, address: 0000000000000010 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 2673 Comm: python3 Not tainted 6.6.13-200.fc39.x86_64 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39 04/01/2014 RIP: 0010:hrtimer_active+0xd/0x50 Code: 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 48 8b 57 30 <8b> 42 10 a8 01 74 09 f3 90 8b 42 10 a8 01 75 f7 80 7f 38 00 75 1d RSP: 0018:ffffb031009b7e10 EFLAGS: 00010286 RAX: 000000000002db00 RBX: ffff9118f786db08 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff9117a0e64400 RDI: ffff9118f786db08 RBP: ffff9118f786db80 R08: ffff9117a0ddd420 R09: ffff9117804d4f70 R10: 0000000000000000 R11: 0000000000000000 R12: ffff9118f786db08 R13: ffff91178fdd5e20 R14: ffff9117840978c0 R15: 0000000000000000 FS: 00007f2ffbab1740(0000) GS:ffff9118f7840000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 00000001b402e000 CR4: 0000000000750ee0 PKRU: 55555554 Call Trace: <TASK> ? __die+0x23/0x70 ? page_fault_oops+0x171/0x4e0 ? srso_alias_return_thunk+0x5/0x7f ? avc_has_extended_perms+0x237/0x520 ? exc_page_fault+0x7f/0x180 ? asm_exc_page_fault+0x26/0x30 ? hrtimer_active+0xd/0x50 hrtimer_cancel+0x15/0x40 timerlat_fd_release+0x48/0xe0 __fput+0xf5/0x290 __x64_sys_close+0x3d/0x80 do_syscall_64+0x60/0x90 ? srso_alias_return_thunk+0x5/0x7f ? __x64_sys_ioctl+0x72/0xd0 ? srso_alias_return_thunk+0x5/0x7f ? syscall_exit_to_user_mode+0x2b/0x40 ? srso_alias_return_thunk+0x5/0x7f ? do_syscall_64+0x6c/0x90 ? srso_alias_return_thunk+0x5/0x7f ? exit_to_user_mode_prepare+0x142/0x1f0 ? srso_alias_return_thunk+0x5/0x7f ? syscall_exit_to_user_mode+0x2b/0x40 ? srso_alias_return_thunk+0x5/0x7f ? do_syscall_64+0x6c/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 RIP: 0033:0x7f2ffb321594 Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 80 3d d5 cd 0d 00 00 74 13 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d RSP: 002b:00007ffe8d8eef18 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 00007f2ffba4e668 RCX: 00007f2ffb321594 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007ffe8d8eef40 R08: 0000000000000000 R09: 0000000000000000 R10: 55c926e3167eae79 R11: 0000000000000202 R12: 0000000000000003 R13: 00007ffe8d8ef030 R14: 0000000000000000 R15: 00007f2ffba4e668 </TASK> CR2: 0000000000000010 ---[ end trace 0000000000000000 ]--- Move hrtimer_init to timerlat_fd open() to avoid this problem.
AI-Powered Analysis
Technical Analysis
CVE-2024-26703 is a vulnerability in the Linux kernel's tracing subsystem, specifically related to the timerlat tracer's handling of high-resolution timers (hrtimers). The issue arises because the hrtimer initialization (hrtimer_init) is deferred until the first read operation on the timerlat file descriptor (timerlat_fd), and the hrtimer is destroyed upon closing the descriptor. This design causes a kernel NULL pointer dereference if a user program opens and closes the timerlat_fd without performing a read. The dereference occurs because the hrtimer is not initialized before the close operation attempts to cancel or clean it up, leading to an invalid memory access and a kernel oops (crash). The vulnerability is demonstrated by a simple Python script that opens and immediately closes the timerlat_fd without reading, triggering a kernel panic. The root cause is that the initialization logic was placed in the read path rather than the open path of the file descriptor. The fix involves moving the hrtimer initialization to the open() function of timerlat_fd, ensuring the timer is properly set up before any close operation can occur. This prevents the NULL pointer dereference and stabilizes the kernel behavior when interacting with the timerlat tracer. The vulnerability affects Linux kernel versions around 6.6.13-200.fc39.x86_64 and similar builds where this tracing code is present. There are no known exploits in the wild, and no CVSS score has been assigned yet. The issue is a kernel crash triggered by local user-space programs interacting with debugfs tracing files, which could be exploited for denial of service or potentially leveraged in privilege escalation scenarios if combined with other vulnerabilities.
Potential Impact
For European organizations, this vulnerability poses a risk primarily in environments running affected Linux kernel versions, especially those using the tracing subsystem for performance monitoring or debugging. The impact is a potential denial of service (DoS) through kernel crashes triggered by local users or processes that can access the tracing debugfs interface. In multi-tenant or shared environments such as cloud providers, hosting services, or container platforms, an unprivileged user could cause system instability or downtime by exploiting this flaw. While direct remote exploitation is unlikely due to the need for local access and interaction with debugfs, the vulnerability could be leveraged in combination with other flaws to escalate privileges or disrupt critical infrastructure. European organizations relying on Linux servers for critical services, including telecommunications, finance, healthcare, and government, may experience service interruptions or require emergency patching. The vulnerability also affects development and testing environments where tracing tools are used, potentially impacting operational continuity. Given the widespread use of Linux in European data centers and enterprises, the vulnerability's impact is significant in terms of availability and operational reliability.
Mitigation Recommendations
1. Apply the official Linux kernel patch that moves the hrtimer initialization to the open() function of timerlat_fd as soon as it becomes available. This is the definitive fix to prevent the NULL pointer dereference. 2. Until patched, restrict access to the debugfs tracing filesystem, especially the timerlat tracer files, to trusted and privileged users only. Use appropriate Linux security modules (e.g., SELinux, AppArmor) or mount options to limit exposure. 3. Monitor kernel logs for oops or crash reports related to timerlat_fd or tracing subsystem to detect exploitation attempts. 4. In containerized or multi-tenant environments, isolate tracing interfaces or disable the timerlat tracer if not required. 5. Educate system administrators and developers about safe usage patterns of tracing tools, avoiding open/close operations without reads on timerlat_fd. 6. Implement robust kernel crash recovery and automated patch management processes to rapidly deploy fixes across affected systems. 7. Consider using kernel live patching solutions where available to minimize downtime during remediation.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.158Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ac4522896dcbe388d
Added to database: 5/21/2025, 9:08:58 AM
Last enriched: 6/29/2025, 5:39:55 PM
Last updated: 7/31/2025, 12:34:21 PM
Views: 10
Related Threats
CVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighCVE-2025-8105: CWE-94 Improper Control of Generation of Code ('Code Injection') in pencidesign Soledad
HighCVE-2025-8719: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in reubenthiessen Translate This gTranslate Shortcode
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.