CVE-2024-26796: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: drivers: perf: ctr_get_width function for legacy is not defined With parameters CONFIG_RISCV_PMU_LEGACY=y and CONFIG_RISCV_PMU_SBI=n linux kernel crashes when you try perf record: $ perf record ls [ 46.749286] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 46.750199] Oops [#1] [ 46.750342] Modules linked in: [ 46.750608] CPU: 0 PID: 107 Comm: perf-exec Not tainted 6.6.0 #2 [ 46.750906] Hardware name: riscv-virtio,qemu (DT) [ 46.751184] epc : 0x0 [ 46.751430] ra : arch_perf_update_userpage+0x54/0x13e [ 46.751680] epc : 0000000000000000 ra : ffffffff8072ee52 sp : ff2000000022b8f0 [ 46.751958] gp : ffffffff81505988 tp : ff6000000290d400 t0 : ff2000000022b9c0 [ 46.752229] t1 : 0000000000000001 t2 : 0000000000000003 s0 : ff2000000022b930 [ 46.752451] s1 : ff600000028fb000 a0 : 0000000000000000 a1 : ff600000028fb000 [ 46.752673] a2 : 0000000ae2751268 a3 : 00000000004fb708 a4 : 0000000000000004 [ 46.752895] a5 : 0000000000000000 a6 : 000000000017ffe3 a7 : 00000000000000d2 [ 46.753117] s2 : ff600000028fb000 s3 : 0000000ae2751268 s4 : 0000000000000000 [ 46.753338] s5 : ffffffff8153e290 s6 : ff600000863b9000 s7 : ff60000002961078 [ 46.753562] s8 : ff60000002961048 s9 : ff60000002961058 s10: 0000000000000001 [ 46.753783] s11: 0000000000000018 t3 : ffffffffffffffff t4 : ffffffffffffffff [ 46.754005] t5 : ff6000000292270c t6 : ff2000000022bb30 [ 46.754179] status: 0000000200000100 badaddr: 0000000000000000 cause: 000000000000000c [ 46.754653] Code: Unable to access instruction at 0xffffffffffffffec. [ 46.754939] ---[ end trace 0000000000000000 ]--- [ 46.755131] note: perf-exec[107] exited with irqs disabled [ 46.755546] note: perf-exec[107] exited with preempt_count 4 This happens because in the legacy case the ctr_get_width function was not defined, but it is used in arch_perf_update_userpage. Also remove extra check in riscv_pmu_ctr_get_width_mask
AI Analysis
Technical Summary
CVE-2024-26796 is a vulnerability identified in the Linux kernel specifically affecting the performance monitoring unit (PMU) implementation for RISC-V architectures under certain kernel configuration parameters. The flaw arises when the kernel is compiled with CONFIG_RISCV_PMU_LEGACY=y and CONFIG_RISCV_PMU_SBI=n. Under these conditions, the function ctr_get_width, which is expected to provide the width of performance counters, is not defined for legacy PMU support. However, this undefined function is called within arch_perf_update_userpage, leading to a NULL pointer dereference. When a user attempts to run 'perf record' (a Linux profiling tool) on an affected system, the kernel crashes with an oops message indicating a NULL pointer dereference at address 0x0. This results in a denial of service (DoS) condition where the kernel becomes unstable or halts. The issue is specific to RISC-V virtualized environments (e.g., QEMU with riscv-virtio hardware) and is triggered by performance monitoring operations. The root cause is a missing function definition combined with an improper check in the PMU code path. The vulnerability does not require user interaction beyond running perf record and does not appear to be exploitable for privilege escalation or arbitrary code execution. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The problem is resolved by defining the ctr_get_width function properly and removing redundant checks in the RISC-V PMU code. This vulnerability highlights the importance of thorough kernel configuration testing, especially for emerging architectures like RISC-V, and the risks of incomplete legacy support code paths.
Potential Impact
For European organizations, the primary impact of CVE-2024-26796 is a potential denial of service on Linux systems running on RISC-V architectures with the specified kernel configurations. While RISC-V adoption in Europe is currently limited compared to x86 and ARM, it is growing in research, academia, and some embedded or specialized computing sectors. Organizations using RISC-V Linux systems for development, testing, or production could experience unexpected kernel crashes when using performance monitoring tools, disrupting operations and debugging activities. This could delay development cycles or impact reliability in embedded systems or virtualized environments. Since the vulnerability causes a kernel panic, it could also affect availability of critical systems if exploited or triggered inadvertently. However, the lack of known exploits and the requirement for specific kernel configurations reduce the immediate risk. Confidentiality and integrity impacts are minimal as the flaw does not allow code execution or privilege escalation. Overall, the threat is primarily operational, affecting system stability and availability in niche RISC-V Linux deployments within Europe.
Mitigation Recommendations
European organizations should take the following specific mitigation steps: 1) Identify and inventory Linux systems running on RISC-V architectures, particularly those using kernel versions around 6.6.0 or similar where this issue is present. 2) Verify kernel configuration parameters related to PMU support (CONFIG_RISCV_PMU_LEGACY and CONFIG_RISCV_PMU_SBI) to assess exposure. 3) Apply the latest Linux kernel patches or updates that address CVE-2024-26796 as soon as they become available from trusted sources or distributions. 4) If patching is not immediately possible, avoid running 'perf record' or similar performance monitoring commands on affected systems to prevent triggering the crash. 5) For virtualized RISC-V environments (e.g., QEMU), ensure that the hypervisor and guest kernel are updated to versions that include the fix. 6) Implement monitoring to detect kernel oops or crashes related to perf tools to quickly identify attempts to trigger the vulnerability. 7) Engage with Linux distribution vendors and RISC-V hardware providers to confirm timelines for patch availability and coordinate updates. These targeted actions go beyond generic advice by focusing on configuration parameters, specific tools usage, and virtualization contexts relevant to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland
CVE-2024-26796: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: drivers: perf: ctr_get_width function for legacy is not defined With parameters CONFIG_RISCV_PMU_LEGACY=y and CONFIG_RISCV_PMU_SBI=n linux kernel crashes when you try perf record: $ perf record ls [ 46.749286] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 46.750199] Oops [#1] [ 46.750342] Modules linked in: [ 46.750608] CPU: 0 PID: 107 Comm: perf-exec Not tainted 6.6.0 #2 [ 46.750906] Hardware name: riscv-virtio,qemu (DT) [ 46.751184] epc : 0x0 [ 46.751430] ra : arch_perf_update_userpage+0x54/0x13e [ 46.751680] epc : 0000000000000000 ra : ffffffff8072ee52 sp : ff2000000022b8f0 [ 46.751958] gp : ffffffff81505988 tp : ff6000000290d400 t0 : ff2000000022b9c0 [ 46.752229] t1 : 0000000000000001 t2 : 0000000000000003 s0 : ff2000000022b930 [ 46.752451] s1 : ff600000028fb000 a0 : 0000000000000000 a1 : ff600000028fb000 [ 46.752673] a2 : 0000000ae2751268 a3 : 00000000004fb708 a4 : 0000000000000004 [ 46.752895] a5 : 0000000000000000 a6 : 000000000017ffe3 a7 : 00000000000000d2 [ 46.753117] s2 : ff600000028fb000 s3 : 0000000ae2751268 s4 : 0000000000000000 [ 46.753338] s5 : ffffffff8153e290 s6 : ff600000863b9000 s7 : ff60000002961078 [ 46.753562] s8 : ff60000002961048 s9 : ff60000002961058 s10: 0000000000000001 [ 46.753783] s11: 0000000000000018 t3 : ffffffffffffffff t4 : ffffffffffffffff [ 46.754005] t5 : ff6000000292270c t6 : ff2000000022bb30 [ 46.754179] status: 0000000200000100 badaddr: 0000000000000000 cause: 000000000000000c [ 46.754653] Code: Unable to access instruction at 0xffffffffffffffec. [ 46.754939] ---[ end trace 0000000000000000 ]--- [ 46.755131] note: perf-exec[107] exited with irqs disabled [ 46.755546] note: perf-exec[107] exited with preempt_count 4 This happens because in the legacy case the ctr_get_width function was not defined, but it is used in arch_perf_update_userpage. Also remove extra check in riscv_pmu_ctr_get_width_mask
AI-Powered Analysis
Technical Analysis
CVE-2024-26796 is a vulnerability identified in the Linux kernel specifically affecting the performance monitoring unit (PMU) implementation for RISC-V architectures under certain kernel configuration parameters. The flaw arises when the kernel is compiled with CONFIG_RISCV_PMU_LEGACY=y and CONFIG_RISCV_PMU_SBI=n. Under these conditions, the function ctr_get_width, which is expected to provide the width of performance counters, is not defined for legacy PMU support. However, this undefined function is called within arch_perf_update_userpage, leading to a NULL pointer dereference. When a user attempts to run 'perf record' (a Linux profiling tool) on an affected system, the kernel crashes with an oops message indicating a NULL pointer dereference at address 0x0. This results in a denial of service (DoS) condition where the kernel becomes unstable or halts. The issue is specific to RISC-V virtualized environments (e.g., QEMU with riscv-virtio hardware) and is triggered by performance monitoring operations. The root cause is a missing function definition combined with an improper check in the PMU code path. The vulnerability does not require user interaction beyond running perf record and does not appear to be exploitable for privilege escalation or arbitrary code execution. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The problem is resolved by defining the ctr_get_width function properly and removing redundant checks in the RISC-V PMU code. This vulnerability highlights the importance of thorough kernel configuration testing, especially for emerging architectures like RISC-V, and the risks of incomplete legacy support code paths.
Potential Impact
For European organizations, the primary impact of CVE-2024-26796 is a potential denial of service on Linux systems running on RISC-V architectures with the specified kernel configurations. While RISC-V adoption in Europe is currently limited compared to x86 and ARM, it is growing in research, academia, and some embedded or specialized computing sectors. Organizations using RISC-V Linux systems for development, testing, or production could experience unexpected kernel crashes when using performance monitoring tools, disrupting operations and debugging activities. This could delay development cycles or impact reliability in embedded systems or virtualized environments. Since the vulnerability causes a kernel panic, it could also affect availability of critical systems if exploited or triggered inadvertently. However, the lack of known exploits and the requirement for specific kernel configurations reduce the immediate risk. Confidentiality and integrity impacts are minimal as the flaw does not allow code execution or privilege escalation. Overall, the threat is primarily operational, affecting system stability and availability in niche RISC-V Linux deployments within Europe.
Mitigation Recommendations
European organizations should take the following specific mitigation steps: 1) Identify and inventory Linux systems running on RISC-V architectures, particularly those using kernel versions around 6.6.0 or similar where this issue is present. 2) Verify kernel configuration parameters related to PMU support (CONFIG_RISCV_PMU_LEGACY and CONFIG_RISCV_PMU_SBI) to assess exposure. 3) Apply the latest Linux kernel patches or updates that address CVE-2024-26796 as soon as they become available from trusted sources or distributions. 4) If patching is not immediately possible, avoid running 'perf record' or similar performance monitoring commands on affected systems to prevent triggering the crash. 5) For virtualized RISC-V environments (e.g., QEMU), ensure that the hypervisor and guest kernel are updated to versions that include the fix. 6) Implement monitoring to detect kernel oops or crashes related to perf tools to quickly identify attempts to trigger the vulnerability. 7) Engage with Linux distribution vendors and RISC-V hardware providers to confirm timelines for patch availability and coordinate updates. These targeted actions go beyond generic advice by focusing on configuration parameters, specific tools usage, and virtualization contexts relevant to this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.178Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982bc4522896dcbe3c2c
Added to database: 5/21/2025, 9:08:59 AM
Last enriched: 6/29/2025, 6:42:59 PM
Last updated: 7/28/2025, 8:25:53 PM
Views: 10
Related Threats
CVE-2025-7973: CWE-268: Privilege Chaining in Rockwell Automation FactoryTalk® ViewPoint
HighCVE-2025-7773: CWE-863: Incorrect Authorization in Rockwell Automation 5032-CFGB16M12P5DR
HighCVE-2025-43984: n/a
CriticalCVE-2025-36581: CWE-788: Access of Memory Location After End of Buffer in Dell PowerEdge
LowCVE-2025-9036: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in Rockwell Automation FactoryTalk® Action Manager
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.