CVE-2024-26906: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault() When trying to use copy_from_kernel_nofault() to read vsyscall page through a bpf program, the following oops was reported: BUG: unable to handle page fault for address: ffffffffff600000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 3231067 P4D 3231067 PUD 3233067 PMD 3235067 PTE 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 20390 Comm: test_progs ...... 6.7.0+ #58 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ...... RIP: 0010:copy_from_kernel_nofault+0x6f/0x110 ...... Call Trace: <TASK> ? copy_from_kernel_nofault+0x6f/0x110 bpf_probe_read_kernel+0x1d/0x50 bpf_prog_2061065e56845f08_do_probe_read+0x51/0x8d trace_call_bpf+0xc5/0x1c0 perf_call_bpf_enter.isra.0+0x69/0xb0 perf_syscall_enter+0x13e/0x200 syscall_trace_enter+0x188/0x1c0 do_syscall_64+0xb5/0xe0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 </TASK> ...... ---[ end trace 0000000000000000 ]--- The oops is triggered when: 1) A bpf program uses bpf_probe_read_kernel() to read from the vsyscall page and invokes copy_from_kernel_nofault() which in turn calls __get_user_asm(). 2) Because the vsyscall page address is not readable from kernel space, a page fault exception is triggered accordingly. 3) handle_page_fault() considers the vsyscall page address as a user space address instead of a kernel space address. This results in the fix-up setup by bpf not being applied and a page_fault_oops() is invoked due to SMAP. Considering handle_page_fault() has already considered the vsyscall page address as a userspace address, fix the problem by disallowing vsyscall page read for copy_from_kernel_nofault().
AI Analysis
Technical Summary
CVE-2024-26906 is a vulnerability identified in the Linux kernel related to the handling of the vsyscall page when accessed through the copy_from_kernel_nofault() function, particularly in the context of BPF (Berkeley Packet Filter) programs. The issue arises when a BPF program attempts to read from the vsyscall page using bpf_probe_read_kernel(), which internally calls copy_from_kernel_nofault(). This function then invokes __get_user_asm() to access the memory. However, the vsyscall page is not readable from kernel space, leading to a page fault exception. The kernel's page fault handler, handle_page_fault(), mistakenly treats the vsyscall page address as a user space address rather than a kernel space address. Consequently, the expected fix-up mechanism set by BPF is not applied, triggering a page_fault_oops() due to Supervisor Mode Access Prevention (SMAP). This results in a kernel oops (crash) with a detailed stack trace indicating the fault during the copy_from_kernel_nofault() call. The vulnerability is addressed by disallowing reads from the vsyscall page within copy_from_kernel_nofault(), preventing the kernel oops from occurring. The affected Linux kernel versions are identified by specific commit hashes, and no known exploits are currently reported in the wild. This vulnerability is primarily a stability and reliability issue rather than a direct security breach, as it causes kernel crashes when certain BPF programs attempt to read protected memory regions incorrectly.
Potential Impact
For European organizations, the primary impact of CVE-2024-26906 is on system stability and reliability rather than direct compromise of confidentiality or integrity. Systems running vulnerable Linux kernel versions that utilize BPF programs for monitoring, tracing, or security enforcement could experience kernel crashes or denial of service conditions if these programs attempt to read the vsyscall page. This could disrupt critical services, especially in environments relying heavily on Linux-based infrastructure such as cloud providers, telecommunications, financial institutions, and public sector organizations. While no direct exploitation for privilege escalation or data leakage is indicated, the induced kernel oops could be leveraged by attackers to cause denial of service or to destabilize systems during targeted attacks. Organizations with high availability requirements or those running custom BPF programs should be particularly cautious. The absence of known exploits reduces immediate risk, but the vulnerability highlights the importance of kernel patching and careful BPF program design.
Mitigation Recommendations
1. Apply the latest Linux kernel patches that address CVE-2024-26906 as soon as they become available from trusted sources or distributions. 2. Audit and review all BPF programs running in your environment to ensure they do not attempt to read from the vsyscall page or other protected kernel memory areas. 3. Implement strict controls on who can load or execute BPF programs, limiting this capability to trusted administrators and processes. 4. Monitor kernel logs and system stability metrics for signs of page faults or kernel oops related to BPF activity, enabling early detection of potential exploitation attempts or misconfigurations. 5. For environments using custom or third-party BPF tools, coordinate with vendors or developers to confirm compatibility with patched kernels and to receive updates that avoid triggering this vulnerability. 6. Consider deploying kernel hardening features and security modules that restrict kernel memory access patterns further, reducing the attack surface for similar vulnerabilities.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-26906: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault() When trying to use copy_from_kernel_nofault() to read vsyscall page through a bpf program, the following oops was reported: BUG: unable to handle page fault for address: ffffffffff600000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 3231067 P4D 3231067 PUD 3233067 PMD 3235067 PTE 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 20390 Comm: test_progs ...... 6.7.0+ #58 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ...... RIP: 0010:copy_from_kernel_nofault+0x6f/0x110 ...... Call Trace: <TASK> ? copy_from_kernel_nofault+0x6f/0x110 bpf_probe_read_kernel+0x1d/0x50 bpf_prog_2061065e56845f08_do_probe_read+0x51/0x8d trace_call_bpf+0xc5/0x1c0 perf_call_bpf_enter.isra.0+0x69/0xb0 perf_syscall_enter+0x13e/0x200 syscall_trace_enter+0x188/0x1c0 do_syscall_64+0xb5/0xe0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 </TASK> ...... ---[ end trace 0000000000000000 ]--- The oops is triggered when: 1) A bpf program uses bpf_probe_read_kernel() to read from the vsyscall page and invokes copy_from_kernel_nofault() which in turn calls __get_user_asm(). 2) Because the vsyscall page address is not readable from kernel space, a page fault exception is triggered accordingly. 3) handle_page_fault() considers the vsyscall page address as a user space address instead of a kernel space address. This results in the fix-up setup by bpf not being applied and a page_fault_oops() is invoked due to SMAP. Considering handle_page_fault() has already considered the vsyscall page address as a userspace address, fix the problem by disallowing vsyscall page read for copy_from_kernel_nofault().
AI-Powered Analysis
Technical Analysis
CVE-2024-26906 is a vulnerability identified in the Linux kernel related to the handling of the vsyscall page when accessed through the copy_from_kernel_nofault() function, particularly in the context of BPF (Berkeley Packet Filter) programs. The issue arises when a BPF program attempts to read from the vsyscall page using bpf_probe_read_kernel(), which internally calls copy_from_kernel_nofault(). This function then invokes __get_user_asm() to access the memory. However, the vsyscall page is not readable from kernel space, leading to a page fault exception. The kernel's page fault handler, handle_page_fault(), mistakenly treats the vsyscall page address as a user space address rather than a kernel space address. Consequently, the expected fix-up mechanism set by BPF is not applied, triggering a page_fault_oops() due to Supervisor Mode Access Prevention (SMAP). This results in a kernel oops (crash) with a detailed stack trace indicating the fault during the copy_from_kernel_nofault() call. The vulnerability is addressed by disallowing reads from the vsyscall page within copy_from_kernel_nofault(), preventing the kernel oops from occurring. The affected Linux kernel versions are identified by specific commit hashes, and no known exploits are currently reported in the wild. This vulnerability is primarily a stability and reliability issue rather than a direct security breach, as it causes kernel crashes when certain BPF programs attempt to read protected memory regions incorrectly.
Potential Impact
For European organizations, the primary impact of CVE-2024-26906 is on system stability and reliability rather than direct compromise of confidentiality or integrity. Systems running vulnerable Linux kernel versions that utilize BPF programs for monitoring, tracing, or security enforcement could experience kernel crashes or denial of service conditions if these programs attempt to read the vsyscall page. This could disrupt critical services, especially in environments relying heavily on Linux-based infrastructure such as cloud providers, telecommunications, financial institutions, and public sector organizations. While no direct exploitation for privilege escalation or data leakage is indicated, the induced kernel oops could be leveraged by attackers to cause denial of service or to destabilize systems during targeted attacks. Organizations with high availability requirements or those running custom BPF programs should be particularly cautious. The absence of known exploits reduces immediate risk, but the vulnerability highlights the importance of kernel patching and careful BPF program design.
Mitigation Recommendations
1. Apply the latest Linux kernel patches that address CVE-2024-26906 as soon as they become available from trusted sources or distributions. 2. Audit and review all BPF programs running in your environment to ensure they do not attempt to read from the vsyscall page or other protected kernel memory areas. 3. Implement strict controls on who can load or execute BPF programs, limiting this capability to trusted administrators and processes. 4. Monitor kernel logs and system stability metrics for signs of page faults or kernel oops related to BPF activity, enabling early detection of potential exploitation attempts or misconfigurations. 5. For environments using custom or third-party BPF tools, coordinate with vendors or developers to confirm compatibility with patched kernels and to receive updates that avoid triggering this vulnerability. 6. Consider deploying kernel hardening features and security modules that restrict kernel memory access patterns further, reducing the attack surface for similar vulnerabilities.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.187Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982bc4522896dcbe3ee4
Added to database: 5/21/2025, 9:08:59 AM
Last enriched: 6/29/2025, 8:10:37 PM
Last updated: 8/7/2025, 12:31:35 PM
Views: 13
Related Threats
CVE-2025-55197: CWE-400: Uncontrolled Resource Consumption in py-pdf pypdf
MediumCVE-2025-8929: SQL Injection in code-projects Medical Store Management System
MediumCVE-2025-8928: SQL Injection in code-projects Medical Store Management System
MediumCVE-2025-34154: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Synergetic Data Systems Inc. UnForm Server Manager
CriticalCVE-2025-8927: Improper Restriction of Excessive Authentication Attempts in mtons mblog
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.