CVE-2024-26893: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Fix double free in SMC transport cleanup path When the generic SCMI code tears down a channel, it calls the chan_free callback function, defined by each transport. Since multiple protocols might share the same transport_info member, chan_free() might want to clean up the same member multiple times within the given SCMI transport implementation. In this case, it is SMC transport. This will lead to a NULL pointer dereference at the second time: | scmi_protocol scmi_dev.1: Enabled polling mode TX channel - prot_id:16 | arm-scmi firmware:scmi: SCMI Notifications - Core Enabled. | arm-scmi firmware:scmi: unable to communicate with SCMI | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 | Mem abort info: | ESR = 0x0000000096000004 | EC = 0x25: DABT (current EL), IL = 32 bits | SET = 0, FnV = 0 | EA = 0, S1PTW = 0 | FSC = 0x04: level 0 translation fault | Data abort info: | ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 | CM = 0, WnR = 0, TnD = 0, TagAccess = 0 | GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000881ef8000 | [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 | Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP | Modules linked in: | CPU: 4 PID: 1 Comm: swapper/0 Not tainted 6.7.0-rc2-00124-g455ef3d016c9-dirty #793 | Hardware name: FVP Base RevC (DT) | pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) | pc : smc_chan_free+0x3c/0x6c | lr : smc_chan_free+0x3c/0x6c | Call trace: | smc_chan_free+0x3c/0x6c | idr_for_each+0x68/0xf8 | scmi_cleanup_channels.isra.0+0x2c/0x58 | scmi_probe+0x434/0x734 | platform_probe+0x68/0xd8 | really_probe+0x110/0x27c | __driver_probe_device+0x78/0x12c | driver_probe_device+0x3c/0x118 | __driver_attach+0x74/0x128 | bus_for_each_dev+0x78/0xe0 | driver_attach+0x24/0x30 | bus_add_driver+0xe4/0x1e8 | driver_register+0x60/0x128 | __platform_driver_register+0x28/0x34 | scmi_driver_init+0x84/0xc0 | do_one_initcall+0x78/0x33c | kernel_init_freeable+0x2b8/0x51c | kernel_init+0x24/0x130 | ret_from_fork+0x10/0x20 | Code: f0004701 910a0021 aa1403e5 97b91c70 (b9400280) | ---[ end trace 0000000000000000 ]--- Simply check for the struct pointer being NULL before trying to access its members, to avoid this situation. This was found when a transport doesn't really work (for instance no SMC service), the probe routines then tries to clean up, and triggers a crash.
AI Analysis
Technical Summary
CVE-2024-26893 is a vulnerability identified in the Linux kernel's ARM SCMI (System Control and Management Interface) firmware transport implementation. The issue arises in the cleanup path of the SMC (Secure Monitor Call) transport when tearing down communication channels. Specifically, the generic SCMI code calls a chan_free callback function to release resources associated with a channel. However, multiple SCMI protocols may share the same transport_info member, and the SMC transport implementation does not properly check if this shared resource has already been freed. This leads to a double free attempt, causing a NULL pointer dereference and subsequent kernel crash (kernel oops). The problem manifests when the transport is non-functional or missing (e.g., no SMC service available), triggering cleanup routines that attempt to free already freed memory. The kernel logs show a typical NULL pointer dereference with detailed abort information and stack trace pointing to smc_chan_free function. The fix involves adding a NULL pointer check before accessing or freeing the shared transport_info structure to prevent double free and kernel panic. This vulnerability affects Linux kernel versions including commit 1dc6558062dadfabd2fb3bd885fa6e92ec7196f2 and likely others in the same branch. No known exploits are reported in the wild yet. The vulnerability is rooted in resource management and error handling in low-level firmware communication code on ARM platforms using SCMI over SMC transport.
Potential Impact
For European organizations, the impact of CVE-2024-26893 depends largely on their use of Linux systems running on ARM architectures that utilize the SCMI firmware interface, particularly in embedded, IoT, or specialized hardware environments. A successful exploitation causes a kernel NULL pointer dereference leading to a denial of service (DoS) via system crash or reboot. This disrupts availability of affected systems, which could be critical in industrial control systems, telecommunications infrastructure, or cloud edge devices running ARM-based Linux kernels. Although this vulnerability does not appear to allow privilege escalation or remote code execution, the forced downtime and instability could impact operational continuity, especially in environments requiring high availability. European sectors relying on ARM-based Linux devices, such as automotive, manufacturing, or telecom providers, may face service interruptions or require emergency patching. Since no authentication or user interaction is needed to trigger the kernel crash once the vulnerable code path is reached, the risk of accidental or malicious DoS is non-negligible. However, the attack surface is limited to systems using the affected SCMI transport implementation, reducing broad exposure.
Mitigation Recommendations
1. Apply the official Linux kernel patches that include the fix for CVE-2024-26893 as soon as they become available in your distribution or mainline kernel updates. 2. For embedded or custom ARM Linux systems, ensure that SCMI transport implementations are updated to include NULL pointer checks before freeing shared resources. 3. Conduct thorough testing of firmware and kernel updates in staging environments to confirm stability and absence of regressions related to SCMI transport cleanup. 4. Monitor system logs for kernel oops or NULL pointer dereference messages related to smc_chan_free or SCMI firmware components to detect potential exploitation attempts or instability. 5. Limit exposure by restricting access to ARM-based Linux systems running SCMI firmware interfaces, especially in multi-tenant or network-exposed environments. 6. Implement robust system monitoring and automated reboot strategies to minimize downtime in case of kernel crashes. 7. Engage with hardware and OS vendors to confirm support and patch availability for affected ARM platforms.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy
CVE-2024-26893: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Fix double free in SMC transport cleanup path When the generic SCMI code tears down a channel, it calls the chan_free callback function, defined by each transport. Since multiple protocols might share the same transport_info member, chan_free() might want to clean up the same member multiple times within the given SCMI transport implementation. In this case, it is SMC transport. This will lead to a NULL pointer dereference at the second time: | scmi_protocol scmi_dev.1: Enabled polling mode TX channel - prot_id:16 | arm-scmi firmware:scmi: SCMI Notifications - Core Enabled. | arm-scmi firmware:scmi: unable to communicate with SCMI | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 | Mem abort info: | ESR = 0x0000000096000004 | EC = 0x25: DABT (current EL), IL = 32 bits | SET = 0, FnV = 0 | EA = 0, S1PTW = 0 | FSC = 0x04: level 0 translation fault | Data abort info: | ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 | CM = 0, WnR = 0, TnD = 0, TagAccess = 0 | GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000881ef8000 | [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 | Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP | Modules linked in: | CPU: 4 PID: 1 Comm: swapper/0 Not tainted 6.7.0-rc2-00124-g455ef3d016c9-dirty #793 | Hardware name: FVP Base RevC (DT) | pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) | pc : smc_chan_free+0x3c/0x6c | lr : smc_chan_free+0x3c/0x6c | Call trace: | smc_chan_free+0x3c/0x6c | idr_for_each+0x68/0xf8 | scmi_cleanup_channels.isra.0+0x2c/0x58 | scmi_probe+0x434/0x734 | platform_probe+0x68/0xd8 | really_probe+0x110/0x27c | __driver_probe_device+0x78/0x12c | driver_probe_device+0x3c/0x118 | __driver_attach+0x74/0x128 | bus_for_each_dev+0x78/0xe0 | driver_attach+0x24/0x30 | bus_add_driver+0xe4/0x1e8 | driver_register+0x60/0x128 | __platform_driver_register+0x28/0x34 | scmi_driver_init+0x84/0xc0 | do_one_initcall+0x78/0x33c | kernel_init_freeable+0x2b8/0x51c | kernel_init+0x24/0x130 | ret_from_fork+0x10/0x20 | Code: f0004701 910a0021 aa1403e5 97b91c70 (b9400280) | ---[ end trace 0000000000000000 ]--- Simply check for the struct pointer being NULL before trying to access its members, to avoid this situation. This was found when a transport doesn't really work (for instance no SMC service), the probe routines then tries to clean up, and triggers a crash.
AI-Powered Analysis
Technical Analysis
CVE-2024-26893 is a vulnerability identified in the Linux kernel's ARM SCMI (System Control and Management Interface) firmware transport implementation. The issue arises in the cleanup path of the SMC (Secure Monitor Call) transport when tearing down communication channels. Specifically, the generic SCMI code calls a chan_free callback function to release resources associated with a channel. However, multiple SCMI protocols may share the same transport_info member, and the SMC transport implementation does not properly check if this shared resource has already been freed. This leads to a double free attempt, causing a NULL pointer dereference and subsequent kernel crash (kernel oops). The problem manifests when the transport is non-functional or missing (e.g., no SMC service available), triggering cleanup routines that attempt to free already freed memory. The kernel logs show a typical NULL pointer dereference with detailed abort information and stack trace pointing to smc_chan_free function. The fix involves adding a NULL pointer check before accessing or freeing the shared transport_info structure to prevent double free and kernel panic. This vulnerability affects Linux kernel versions including commit 1dc6558062dadfabd2fb3bd885fa6e92ec7196f2 and likely others in the same branch. No known exploits are reported in the wild yet. The vulnerability is rooted in resource management and error handling in low-level firmware communication code on ARM platforms using SCMI over SMC transport.
Potential Impact
For European organizations, the impact of CVE-2024-26893 depends largely on their use of Linux systems running on ARM architectures that utilize the SCMI firmware interface, particularly in embedded, IoT, or specialized hardware environments. A successful exploitation causes a kernel NULL pointer dereference leading to a denial of service (DoS) via system crash or reboot. This disrupts availability of affected systems, which could be critical in industrial control systems, telecommunications infrastructure, or cloud edge devices running ARM-based Linux kernels. Although this vulnerability does not appear to allow privilege escalation or remote code execution, the forced downtime and instability could impact operational continuity, especially in environments requiring high availability. European sectors relying on ARM-based Linux devices, such as automotive, manufacturing, or telecom providers, may face service interruptions or require emergency patching. Since no authentication or user interaction is needed to trigger the kernel crash once the vulnerable code path is reached, the risk of accidental or malicious DoS is non-negligible. However, the attack surface is limited to systems using the affected SCMI transport implementation, reducing broad exposure.
Mitigation Recommendations
1. Apply the official Linux kernel patches that include the fix for CVE-2024-26893 as soon as they become available in your distribution or mainline kernel updates. 2. For embedded or custom ARM Linux systems, ensure that SCMI transport implementations are updated to include NULL pointer checks before freeing shared resources. 3. Conduct thorough testing of firmware and kernel updates in staging environments to confirm stability and absence of regressions related to SCMI transport cleanup. 4. Monitor system logs for kernel oops or NULL pointer dereference messages related to smc_chan_free or SCMI firmware components to detect potential exploitation attempts or instability. 5. Limit exposure by restricting access to ARM-based Linux systems running SCMI firmware interfaces, especially in multi-tenant or network-exposed environments. 6. Implement robust system monitoring and automated reboot strategies to minimize downtime in case of kernel crashes. 7. Engage with hardware and OS vendors to confirm support and patch availability for affected ARM platforms.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.186Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982bc4522896dcbe3e78
Added to database: 5/21/2025, 9:08:59 AM
Last enriched: 6/29/2025, 7:56:49 PM
Last updated: 8/18/2025, 11:34:48 PM
Views: 12
Related Threats
CVE-2025-9356: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-9355: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-43761: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Liferay Portal
MediumCVE-2025-24902: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in LabRedesCefetRJ WeGIA
CriticalCVE-2025-52451: CWE-20 Improper Input Validation in Salesforce Tableau Server
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.