CVE-2024-26746: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Ensure safe user copy of completion record If CONFIG_HARDENED_USERCOPY is enabled, copying completion record from event log cache to user triggers a kernel bug. [ 1987.159822] usercopy: Kernel memory exposure attempt detected from SLUB object 'dsa0' (offset 74, size 31)! [ 1987.170845] ------------[ cut here ]------------ [ 1987.176086] kernel BUG at mm/usercopy.c:102! [ 1987.180946] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [ 1987.186866] CPU: 17 PID: 528 Comm: kworker/17:1 Not tainted 6.8.0-rc2+ #5 [ 1987.194537] Hardware name: Intel Corporation AvenueCity/AvenueCity, BIOS BHSDCRB1.86B.2492.D03.2307181620 07/18/2023 [ 1987.206405] Workqueue: wq0.0 idxd_evl_fault_work [idxd] [ 1987.212338] RIP: 0010:usercopy_abort+0x72/0x90 [ 1987.217381] Code: 58 65 9c 50 48 c7 c2 17 85 61 9c 57 48 c7 c7 98 fd 6b 9c 48 0f 44 d6 48 c7 c6 b3 08 62 9c 4c 89 d1 49 0f 44 f3 e8 1e 2e d5 ff <0f> 0b 49 c7 c1 9e 42 61 9c 4c 89 cf 4d 89 c8 eb a9 66 66 2e 0f 1f [ 1987.238505] RSP: 0018:ff62f5cf20607d60 EFLAGS: 00010246 [ 1987.244423] RAX: 000000000000005f RBX: 000000000000001f RCX: 0000000000000000 [ 1987.252480] RDX: 0000000000000000 RSI: ffffffff9c61429e RDI: 00000000ffffffff [ 1987.260538] RBP: ff62f5cf20607d78 R08: ff2a6a89ef3fffe8 R09: 00000000fffeffff [ 1987.268595] R10: ff2a6a89eed00000 R11: 0000000000000003 R12: ff2a66934849c89a [ 1987.276652] R13: 0000000000000001 R14: ff2a66934849c8b9 R15: ff2a66934849c899 [ 1987.284710] FS: 0000000000000000(0000) GS:ff2a66b22fe40000(0000) knlGS:0000000000000000 [ 1987.293850] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1987.300355] CR2: 00007fe291a37000 CR3: 000000010fbd4005 CR4: 0000000000f71ef0 [ 1987.308413] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 1987.316470] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [ 1987.324527] PKRU: 55555554 [ 1987.327622] Call Trace: [ 1987.330424] <TASK> [ 1987.332826] ? show_regs+0x6e/0x80 [ 1987.336703] ? die+0x3c/0xa0 [ 1987.339988] ? do_trap+0xd4/0xf0 [ 1987.343662] ? do_error_trap+0x75/0xa0 [ 1987.347922] ? usercopy_abort+0x72/0x90 [ 1987.352277] ? exc_invalid_op+0x57/0x80 [ 1987.356634] ? usercopy_abort+0x72/0x90 [ 1987.360988] ? asm_exc_invalid_op+0x1f/0x30 [ 1987.365734] ? usercopy_abort+0x72/0x90 [ 1987.370088] __check_heap_object+0xb7/0xd0 [ 1987.374739] __check_object_size+0x175/0x2d0 [ 1987.379588] idxd_copy_cr+0xa9/0x130 [idxd] [ 1987.384341] idxd_evl_fault_work+0x127/0x390 [idxd] [ 1987.389878] process_one_work+0x13e/0x300 [ 1987.394435] ? __pfx_worker_thread+0x10/0x10 [ 1987.399284] worker_thread+0x2f7/0x420 [ 1987.403544] ? _raw_spin_unlock_irqrestore+0x2b/0x50 [ 1987.409171] ? __pfx_worker_thread+0x10/0x10 [ 1987.414019] kthread+0x107/0x140 [ 1987.417693] ? __pfx_kthread+0x10/0x10 [ 1987.421954] ret_from_fork+0x3d/0x60 [ 1987.426019] ? __pfx_kthread+0x10/0x10 [ 1987.430281] ret_from_fork_asm+0x1b/0x30 [ 1987.434744] </TASK> The issue arises because event log cache is created using kmem_cache_create() which is not suitable for user copy. Fix the issue by creating event log cache with kmem_cache_create_usercopy(), ensuring safe user copy.
AI Analysis
Technical Summary
CVE-2024-26746 is a vulnerability identified in the Linux kernel's dmaengine idxd driver component. The issue arises specifically when the kernel is configured with CONFIG_HARDENED_USERCOPY enabled, a security feature designed to prevent unsafe copying of data between kernel and user space. The vulnerability is triggered during the copying of a completion record from the event log cache to user space. The root cause is that the event log cache is created using kmem_cache_create(), which is not designed to safely handle user copy operations. This improper cache creation leads to a kernel bug, evidenced by kernel memory exposure attempts and ultimately a kernel BUG triggered in the usercopy_abort function. The kernel panic and invalid opcode errors indicate a critical failure in memory safety checks. The fix involves changing the event log cache creation to use kmem_cache_create_usercopy(), which ensures that user copy operations are safely handled and memory exposure is prevented. This vulnerability could potentially be exploited to cause denial of service (kernel panic) or to leak kernel memory contents, depending on the attacker's ability to trigger the usercopy operation. However, exploitation requires the kernel to be built with CONFIG_HARDENED_USERCOPY enabled and the presence of the vulnerable idxd driver functionality. No known exploits are reported in the wild as of now.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the CONFIG_HARDENED_USERCOPY option enabled and utilizing the dmaengine idxd driver, which is typically found on systems with Intel Data Streaming Accelerator (DSA) hardware. The impact includes potential denial of service due to kernel panics, which can disrupt critical services and infrastructure. Additionally, there is a risk of kernel memory exposure, which could lead to information disclosure of sensitive data residing in kernel memory. This is particularly concerning for data centers, cloud providers, and enterprises relying on Linux servers for critical workloads. The vulnerability could affect high-availability systems and those requiring strong security postures. Given the kernel panic and memory exposure risks, organizations may face operational disruptions and increased attack surface if threat actors develop exploits. However, the requirement for specific kernel configuration and hardware limits the scope somewhat. Still, the widespread use of Linux in European IT infrastructure means that many organizations could be affected if they run vulnerable kernel versions without patches.
Mitigation Recommendations
European organizations should take the following specific steps beyond generic patching advice: 1) Identify Linux systems running kernels with CONFIG_HARDENED_USERCOPY enabled and verify if the dmaengine idxd driver is in use, especially on systems with Intel DSA hardware. 2) Apply the official Linux kernel patches that replace kmem_cache_create() with kmem_cache_create_usercopy() for the event log cache to ensure safe user copying. 3) Where patching is not immediately feasible, consider disabling the idxd driver or the CONFIG_HARDENED_USERCOPY kernel option temporarily if operationally acceptable, to mitigate risk. 4) Monitor kernel logs for usercopy abort messages or kernel BUG reports indicative of attempted exploitation. 5) Implement strict access controls to limit unprivileged user ability to trigger the vulnerable usercopy operations. 6) For cloud and virtualized environments, ensure hypervisor and host kernel versions are patched to prevent guest-to-host or host-to-guest attacks leveraging this vulnerability. 7) Conduct thorough testing of kernel updates in staging environments to avoid service disruptions. 8) Maintain up-to-date inventory of hardware and kernel configurations to rapidly identify vulnerable systems.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Ireland, Italy, Spain, Poland
CVE-2024-26746: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Ensure safe user copy of completion record If CONFIG_HARDENED_USERCOPY is enabled, copying completion record from event log cache to user triggers a kernel bug. [ 1987.159822] usercopy: Kernel memory exposure attempt detected from SLUB object 'dsa0' (offset 74, size 31)! [ 1987.170845] ------------[ cut here ]------------ [ 1987.176086] kernel BUG at mm/usercopy.c:102! [ 1987.180946] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [ 1987.186866] CPU: 17 PID: 528 Comm: kworker/17:1 Not tainted 6.8.0-rc2+ #5 [ 1987.194537] Hardware name: Intel Corporation AvenueCity/AvenueCity, BIOS BHSDCRB1.86B.2492.D03.2307181620 07/18/2023 [ 1987.206405] Workqueue: wq0.0 idxd_evl_fault_work [idxd] [ 1987.212338] RIP: 0010:usercopy_abort+0x72/0x90 [ 1987.217381] Code: 58 65 9c 50 48 c7 c2 17 85 61 9c 57 48 c7 c7 98 fd 6b 9c 48 0f 44 d6 48 c7 c6 b3 08 62 9c 4c 89 d1 49 0f 44 f3 e8 1e 2e d5 ff <0f> 0b 49 c7 c1 9e 42 61 9c 4c 89 cf 4d 89 c8 eb a9 66 66 2e 0f 1f [ 1987.238505] RSP: 0018:ff62f5cf20607d60 EFLAGS: 00010246 [ 1987.244423] RAX: 000000000000005f RBX: 000000000000001f RCX: 0000000000000000 [ 1987.252480] RDX: 0000000000000000 RSI: ffffffff9c61429e RDI: 00000000ffffffff [ 1987.260538] RBP: ff62f5cf20607d78 R08: ff2a6a89ef3fffe8 R09: 00000000fffeffff [ 1987.268595] R10: ff2a6a89eed00000 R11: 0000000000000003 R12: ff2a66934849c89a [ 1987.276652] R13: 0000000000000001 R14: ff2a66934849c8b9 R15: ff2a66934849c899 [ 1987.284710] FS: 0000000000000000(0000) GS:ff2a66b22fe40000(0000) knlGS:0000000000000000 [ 1987.293850] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1987.300355] CR2: 00007fe291a37000 CR3: 000000010fbd4005 CR4: 0000000000f71ef0 [ 1987.308413] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 1987.316470] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [ 1987.324527] PKRU: 55555554 [ 1987.327622] Call Trace: [ 1987.330424] <TASK> [ 1987.332826] ? show_regs+0x6e/0x80 [ 1987.336703] ? die+0x3c/0xa0 [ 1987.339988] ? do_trap+0xd4/0xf0 [ 1987.343662] ? do_error_trap+0x75/0xa0 [ 1987.347922] ? usercopy_abort+0x72/0x90 [ 1987.352277] ? exc_invalid_op+0x57/0x80 [ 1987.356634] ? usercopy_abort+0x72/0x90 [ 1987.360988] ? asm_exc_invalid_op+0x1f/0x30 [ 1987.365734] ? usercopy_abort+0x72/0x90 [ 1987.370088] __check_heap_object+0xb7/0xd0 [ 1987.374739] __check_object_size+0x175/0x2d0 [ 1987.379588] idxd_copy_cr+0xa9/0x130 [idxd] [ 1987.384341] idxd_evl_fault_work+0x127/0x390 [idxd] [ 1987.389878] process_one_work+0x13e/0x300 [ 1987.394435] ? __pfx_worker_thread+0x10/0x10 [ 1987.399284] worker_thread+0x2f7/0x420 [ 1987.403544] ? _raw_spin_unlock_irqrestore+0x2b/0x50 [ 1987.409171] ? __pfx_worker_thread+0x10/0x10 [ 1987.414019] kthread+0x107/0x140 [ 1987.417693] ? __pfx_kthread+0x10/0x10 [ 1987.421954] ret_from_fork+0x3d/0x60 [ 1987.426019] ? __pfx_kthread+0x10/0x10 [ 1987.430281] ret_from_fork_asm+0x1b/0x30 [ 1987.434744] </TASK> The issue arises because event log cache is created using kmem_cache_create() which is not suitable for user copy. Fix the issue by creating event log cache with kmem_cache_create_usercopy(), ensuring safe user copy.
AI-Powered Analysis
Technical Analysis
CVE-2024-26746 is a vulnerability identified in the Linux kernel's dmaengine idxd driver component. The issue arises specifically when the kernel is configured with CONFIG_HARDENED_USERCOPY enabled, a security feature designed to prevent unsafe copying of data between kernel and user space. The vulnerability is triggered during the copying of a completion record from the event log cache to user space. The root cause is that the event log cache is created using kmem_cache_create(), which is not designed to safely handle user copy operations. This improper cache creation leads to a kernel bug, evidenced by kernel memory exposure attempts and ultimately a kernel BUG triggered in the usercopy_abort function. The kernel panic and invalid opcode errors indicate a critical failure in memory safety checks. The fix involves changing the event log cache creation to use kmem_cache_create_usercopy(), which ensures that user copy operations are safely handled and memory exposure is prevented. This vulnerability could potentially be exploited to cause denial of service (kernel panic) or to leak kernel memory contents, depending on the attacker's ability to trigger the usercopy operation. However, exploitation requires the kernel to be built with CONFIG_HARDENED_USERCOPY enabled and the presence of the vulnerable idxd driver functionality. No known exploits are reported in the wild as of now.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the CONFIG_HARDENED_USERCOPY option enabled and utilizing the dmaengine idxd driver, which is typically found on systems with Intel Data Streaming Accelerator (DSA) hardware. The impact includes potential denial of service due to kernel panics, which can disrupt critical services and infrastructure. Additionally, there is a risk of kernel memory exposure, which could lead to information disclosure of sensitive data residing in kernel memory. This is particularly concerning for data centers, cloud providers, and enterprises relying on Linux servers for critical workloads. The vulnerability could affect high-availability systems and those requiring strong security postures. Given the kernel panic and memory exposure risks, organizations may face operational disruptions and increased attack surface if threat actors develop exploits. However, the requirement for specific kernel configuration and hardware limits the scope somewhat. Still, the widespread use of Linux in European IT infrastructure means that many organizations could be affected if they run vulnerable kernel versions without patches.
Mitigation Recommendations
European organizations should take the following specific steps beyond generic patching advice: 1) Identify Linux systems running kernels with CONFIG_HARDENED_USERCOPY enabled and verify if the dmaengine idxd driver is in use, especially on systems with Intel DSA hardware. 2) Apply the official Linux kernel patches that replace kmem_cache_create() with kmem_cache_create_usercopy() for the event log cache to ensure safe user copying. 3) Where patching is not immediately feasible, consider disabling the idxd driver or the CONFIG_HARDENED_USERCOPY kernel option temporarily if operationally acceptable, to mitigate risk. 4) Monitor kernel logs for usercopy abort messages or kernel BUG reports indicative of attempted exploitation. 5) Implement strict access controls to limit unprivileged user ability to trigger the vulnerable usercopy operations. 6) For cloud and virtualized environments, ensure hypervisor and host kernel versions are patched to prevent guest-to-host or host-to-guest attacks leveraging this vulnerability. 7) Conduct thorough testing of kernel updates in staging environments to avoid service disruptions. 8) Maintain up-to-date inventory of hardware and kernel configurations to rapidly identify vulnerable systems.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.168Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ac4522896dcbe3a0f
Added to database: 5/21/2025, 9:08:58 AM
Last enriched: 6/29/2025, 6:10:07 PM
Last updated: 8/12/2025, 3:32:46 AM
Views: 13
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.