CVE-2024-26847: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: powerpc/rtas: use correct function name for resetting TCE tables The PAPR spec spells the function name as "ibm,reset-pe-dma-windows" but in practice firmware uses the singular form: "ibm,reset-pe-dma-window" in the device tree. Since we have the wrong spelling in the RTAS function table, reverse lookups (token -> name) fail and warn: unexpected failed lookup for token 86 WARNING: CPU: 1 PID: 545 at arch/powerpc/kernel/rtas.c:659 __do_enter_rtas_trace+0x2a4/0x2b4 CPU: 1 PID: 545 Comm: systemd-udevd Not tainted 6.8.0-rc4 #30 Hardware name: IBM,9105-22A POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NL1060_028) hv:phyp pSeries NIP [c0000000000417f0] __do_enter_rtas_trace+0x2a4/0x2b4 LR [c0000000000417ec] __do_enter_rtas_trace+0x2a0/0x2b4 Call Trace: __do_enter_rtas_trace+0x2a0/0x2b4 (unreliable) rtas_call+0x1f8/0x3e0 enable_ddw.constprop.0+0x4d0/0xc84 dma_iommu_dma_supported+0xe8/0x24c dma_set_mask+0x5c/0xd8 mlx5_pci_init.constprop.0+0xf0/0x46c [mlx5_core] probe_one+0xfc/0x32c [mlx5_core] local_pci_probe+0x68/0x12c pci_call_probe+0x68/0x1ec pci_device_probe+0xbc/0x1a8 really_probe+0x104/0x570 __driver_probe_device+0xb8/0x224 driver_probe_device+0x54/0x130 __driver_attach+0x158/0x2b0 bus_for_each_dev+0xa8/0x120 driver_attach+0x34/0x48 bus_add_driver+0x174/0x304 driver_register+0x8c/0x1c4 __pci_register_driver+0x68/0x7c mlx5_init+0xb8/0x118 [mlx5_core] do_one_initcall+0x60/0x388 do_init_module+0x7c/0x2a4 init_module_from_file+0xb4/0x108 idempotent_init_module+0x184/0x34c sys_finit_module+0x90/0x114 And oopses are possible when lockdep is enabled or the RTAS tracepoints are active, since those paths dereference the result of the lookup. Use the correct spelling to match firmware's behavior, adjusting the related constants to match.
AI Analysis
Technical Summary
CVE-2024-26847 is a vulnerability identified in the Linux kernel specifically affecting the PowerPC architecture's RTAS (Run-Time Abstraction Services) implementation. The issue arises from a mismatch in the function name used to reset TCE (Translation Control Entry) tables in device firmware interaction. According to the PAPR (Power Architecture Platform Reference) specification, the function should be named "ibm,reset-pe-dma-windows" (plural), but in practice, the firmware uses the singular form "ibm,reset-pe-dma-window" in the device tree. The Linux kernel's RTAS function table incorrectly uses the plural form, causing reverse lookups from token to function name to fail. This failure triggers warning messages and kernel oopses, particularly when lockdep (lock dependency validator) or RTAS tracepoints are enabled. The kernel oopses occur because the code dereferences the result of the failed lookup, leading to potential kernel crashes or instability. The vulnerability affects Linux kernel versions prior to the fix that corrects the function name spelling to match firmware behavior. The impact is primarily on systems running on IBM POWER10 hardware or similar PowerPC platforms using RTAS for device management. The CVSS 3.1 score is 5.1 (medium severity), reflecting a local attack vector with high attack complexity, no privileges required, no user interaction, and an impact limited to availability (kernel crashes). There is no impact on confidentiality or integrity. No known exploits are reported in the wild at this time.
Potential Impact
For European organizations, the impact of CVE-2024-26847 is mainly related to system stability and availability on affected PowerPC-based Linux systems, particularly those using IBM POWER10 hardware or similar platforms. Organizations relying on such hardware for critical infrastructure, data centers, or specialized computing environments may experience unexpected kernel crashes or system instability if the vulnerable kernel version is deployed. This can lead to service disruptions, potential downtime, and increased operational costs due to troubleshooting and recovery efforts. Since the vulnerability does not affect confidentiality or integrity, the risk of data breach or unauthorized access is minimal. However, availability issues can still have significant operational consequences, especially in environments requiring high reliability. The vulnerability requires local access and has high attack complexity, reducing the likelihood of exploitation by remote attackers. Nevertheless, insider threats or compromised local users could trigger the issue. The lack of known exploits in the wild further reduces immediate risk but does not eliminate the need for timely patching.
Mitigation Recommendations
To mitigate CVE-2024-26847, European organizations should: 1) Identify and inventory Linux systems running on PowerPC architecture, especially IBM POWER10 hardware, to assess exposure. 2) Apply the official Linux kernel patches that correct the RTAS function name spelling to match firmware behavior. This fix prevents the failed token lookups and associated kernel oopses. 3) If immediate patching is not possible, consider disabling lockdep and RTAS tracepoints temporarily to reduce the risk of kernel crashes, though this is not a long-term solution. 4) Monitor system logs for warning messages related to RTAS token lookup failures or kernel oopses to detect potential triggering of the vulnerability. 5) Implement strict access controls to limit local user access on affected systems, minimizing the risk of exploitation. 6) Coordinate with hardware vendors and Linux distribution maintainers to ensure timely updates and support. 7) Test patches in a controlled environment before deployment to avoid unintended disruptions. These steps go beyond generic advice by focusing on architecture-specific identification, targeted patching, and operational monitoring tailored to the nature of this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Sweden, Finland
CVE-2024-26847: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: powerpc/rtas: use correct function name for resetting TCE tables The PAPR spec spells the function name as "ibm,reset-pe-dma-windows" but in practice firmware uses the singular form: "ibm,reset-pe-dma-window" in the device tree. Since we have the wrong spelling in the RTAS function table, reverse lookups (token -> name) fail and warn: unexpected failed lookup for token 86 WARNING: CPU: 1 PID: 545 at arch/powerpc/kernel/rtas.c:659 __do_enter_rtas_trace+0x2a4/0x2b4 CPU: 1 PID: 545 Comm: systemd-udevd Not tainted 6.8.0-rc4 #30 Hardware name: IBM,9105-22A POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NL1060_028) hv:phyp pSeries NIP [c0000000000417f0] __do_enter_rtas_trace+0x2a4/0x2b4 LR [c0000000000417ec] __do_enter_rtas_trace+0x2a0/0x2b4 Call Trace: __do_enter_rtas_trace+0x2a0/0x2b4 (unreliable) rtas_call+0x1f8/0x3e0 enable_ddw.constprop.0+0x4d0/0xc84 dma_iommu_dma_supported+0xe8/0x24c dma_set_mask+0x5c/0xd8 mlx5_pci_init.constprop.0+0xf0/0x46c [mlx5_core] probe_one+0xfc/0x32c [mlx5_core] local_pci_probe+0x68/0x12c pci_call_probe+0x68/0x1ec pci_device_probe+0xbc/0x1a8 really_probe+0x104/0x570 __driver_probe_device+0xb8/0x224 driver_probe_device+0x54/0x130 __driver_attach+0x158/0x2b0 bus_for_each_dev+0xa8/0x120 driver_attach+0x34/0x48 bus_add_driver+0x174/0x304 driver_register+0x8c/0x1c4 __pci_register_driver+0x68/0x7c mlx5_init+0xb8/0x118 [mlx5_core] do_one_initcall+0x60/0x388 do_init_module+0x7c/0x2a4 init_module_from_file+0xb4/0x108 idempotent_init_module+0x184/0x34c sys_finit_module+0x90/0x114 And oopses are possible when lockdep is enabled or the RTAS tracepoints are active, since those paths dereference the result of the lookup. Use the correct spelling to match firmware's behavior, adjusting the related constants to match.
AI-Powered Analysis
Technical Analysis
CVE-2024-26847 is a vulnerability identified in the Linux kernel specifically affecting the PowerPC architecture's RTAS (Run-Time Abstraction Services) implementation. The issue arises from a mismatch in the function name used to reset TCE (Translation Control Entry) tables in device firmware interaction. According to the PAPR (Power Architecture Platform Reference) specification, the function should be named "ibm,reset-pe-dma-windows" (plural), but in practice, the firmware uses the singular form "ibm,reset-pe-dma-window" in the device tree. The Linux kernel's RTAS function table incorrectly uses the plural form, causing reverse lookups from token to function name to fail. This failure triggers warning messages and kernel oopses, particularly when lockdep (lock dependency validator) or RTAS tracepoints are enabled. The kernel oopses occur because the code dereferences the result of the failed lookup, leading to potential kernel crashes or instability. The vulnerability affects Linux kernel versions prior to the fix that corrects the function name spelling to match firmware behavior. The impact is primarily on systems running on IBM POWER10 hardware or similar PowerPC platforms using RTAS for device management. The CVSS 3.1 score is 5.1 (medium severity), reflecting a local attack vector with high attack complexity, no privileges required, no user interaction, and an impact limited to availability (kernel crashes). There is no impact on confidentiality or integrity. No known exploits are reported in the wild at this time.
Potential Impact
For European organizations, the impact of CVE-2024-26847 is mainly related to system stability and availability on affected PowerPC-based Linux systems, particularly those using IBM POWER10 hardware or similar platforms. Organizations relying on such hardware for critical infrastructure, data centers, or specialized computing environments may experience unexpected kernel crashes or system instability if the vulnerable kernel version is deployed. This can lead to service disruptions, potential downtime, and increased operational costs due to troubleshooting and recovery efforts. Since the vulnerability does not affect confidentiality or integrity, the risk of data breach or unauthorized access is minimal. However, availability issues can still have significant operational consequences, especially in environments requiring high reliability. The vulnerability requires local access and has high attack complexity, reducing the likelihood of exploitation by remote attackers. Nevertheless, insider threats or compromised local users could trigger the issue. The lack of known exploits in the wild further reduces immediate risk but does not eliminate the need for timely patching.
Mitigation Recommendations
To mitigate CVE-2024-26847, European organizations should: 1) Identify and inventory Linux systems running on PowerPC architecture, especially IBM POWER10 hardware, to assess exposure. 2) Apply the official Linux kernel patches that correct the RTAS function name spelling to match firmware behavior. This fix prevents the failed token lookups and associated kernel oopses. 3) If immediate patching is not possible, consider disabling lockdep and RTAS tracepoints temporarily to reduce the risk of kernel crashes, though this is not a long-term solution. 4) Monitor system logs for warning messages related to RTAS token lookup failures or kernel oopses to detect potential triggering of the vulnerability. 5) Implement strict access controls to limit local user access on affected systems, minimizing the risk of exploitation. 6) Coordinate with hardware vendors and Linux distribution maintainers to ensure timely updates and support. 7) Test patches in a controlled environment before deployment to avoid unintended disruptions. These steps go beyond generic advice by focusing on architecture-specific identification, targeted patching, and operational monitoring tailored to the nature of this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.182Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d982bc4522896dcbe3d69
Added to database: 5/21/2025, 9:08:59 AM
Last enriched: 6/29/2025, 7:26:00 PM
Last updated: 8/14/2025, 5:34:42 PM
Views: 15
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.