CVE-2024-26935: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: scsi: core: Fix unremoved procfs host directory regression Commit fc663711b944 ("scsi: core: Remove the /proc/scsi/${proc_name} directory earlier") fixed a bug related to modules loading/unloading, by adding a call to scsi_proc_hostdir_rm() on scsi_remove_host(). But that led to a potential duplicate call to the hostdir_rm() routine, since it's also called from scsi_host_dev_release(). That triggered a regression report, which was then fixed by commit be03df3d4bfe ("scsi: core: Fix a procfs host directory removal regression"). The fix just dropped the hostdir_rm() call from dev_release(). But it happens that this proc directory is created on scsi_host_alloc(), and that function "pairs" with scsi_host_dev_release(), while scsi_remove_host() pairs with scsi_add_host(). In other words, it seems the reason for removing the proc directory on dev_release() was meant to cover cases in which a SCSI host structure was allocated, but the call to scsi_add_host() didn't happen. And that pattern happens to exist in some error paths, for example. Syzkaller causes that by using USB raw gadget device, error'ing on usb-storage driver, at usb_stor_probe2(). By checking that path, we can see that the BadDevice label leads to a scsi_host_put() after a SCSI host allocation, but there's no call to scsi_add_host() in such path. That leads to messages like this in dmesg (and a leak of the SCSI host proc structure): usb-storage 4-1:87.51: USB Mass Storage device detected proc_dir_entry 'scsi/usb-storage' already registered WARNING: CPU: 1 PID: 3519 at fs/proc/generic.c:377 proc_register+0x347/0x4e0 fs/proc/generic.c:376 The proper fix seems to still call scsi_proc_hostdir_rm() on dev_release(), but guard that with the state check for SHOST_CREATED; there is even a comment in scsi_host_dev_release() detailing that: such conditional is meant for cases where the SCSI host was allocated but there was no calls to {add,remove}_host(), like the usb-storage case. This is what we propose here and with that, the error path of usb-storage does not trigger the warning anymore.
AI Analysis
Technical Summary
CVE-2024-26935 addresses a vulnerability in the Linux kernel's SCSI (Small Computer System Interface) core subsystem related to the handling of procfs host directories. The issue originated from a regression caused by a previous fix that aimed to resolve module loading and unloading bugs. Specifically, the vulnerability involves improper management of the procfs directory associated with SCSI hosts. The procfs directory is created during the allocation of a SCSI host (scsi_host_alloc()) and is supposed to be removed when the host is released. However, due to a flawed sequence of calls and missing state checks, certain error paths—such as those triggered by the USB raw gadget device interacting with the usb-storage driver—can lead to a leak of the SCSI host proc structure. This manifests as warnings in system logs (dmesg) indicating that the proc directory is already registered, which implies a resource leak and potential instability. The root cause is that in some error scenarios, the SCSI host is allocated but never fully added (scsi_add_host() is not called), causing the removal routine to be skipped or called improperly. The proposed fix involves reinstating the removal call (scsi_proc_hostdir_rm()) during device release but guarded by a state check for SHOST_CREATED, ensuring that the proc directory is only removed if it was properly created. This correction prevents the warning messages and resource leaks without reintroducing the original regression. Although this vulnerability does not directly lead to remote code execution or privilege escalation, it affects kernel resource management and stability, particularly in systems using USB storage devices and SCSI subsystems. The issue is primarily a kernel-level resource leak and warning generation, which could potentially be exploited to cause denial of service through resource exhaustion or kernel instability under specific conditions.
Potential Impact
For European organizations, this vulnerability primarily poses a risk to system stability and reliability rather than direct data compromise. Organizations relying on Linux servers, especially those utilizing USB storage devices or SCSI subsystems extensively (e.g., data centers, cloud providers, and enterprises with Linux-based infrastructure), may experience kernel warnings and potential resource leaks that could degrade system performance or lead to denial of service conditions. Although no known exploits are reported in the wild, persistent resource leaks in critical infrastructure could increase maintenance overhead and risk of unexpected downtime. This is particularly relevant for industries with high availability requirements such as finance, telecommunications, healthcare, and manufacturing. Additionally, organizations with strict compliance and security monitoring may find the kernel warnings disruptive or indicative of underlying system issues that require prompt attention. However, since this vulnerability does not allow unauthorized access or privilege escalation, the confidentiality and integrity of data are not directly threatened. The main concern is availability and operational continuity.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Apply the official Linux kernel patches that include the fix for CVE-2024-26935 as soon as they become available from their Linux distribution vendors or upstream kernel sources. 2) Monitor system logs (dmesg) for warnings related to 'proc_dir_entry already registered' or similar messages indicating procfs host directory leaks, which can help identify affected systems. 3) For systems using USB storage devices or SCSI subsystems, conduct targeted testing after patching to ensure that error paths no longer produce warnings or leaks. 4) Implement kernel live patching solutions where possible to reduce downtime during patch deployment. 5) Maintain updated inventories of Linux kernel versions in use across infrastructure to prioritize patching efforts. 6) Consider isolating or limiting the use of USB raw gadget devices in sensitive environments until patches are applied, as these devices trigger the problematic error path. 7) Engage with Linux distribution security advisories and subscribe to relevant mailing lists to receive timely updates on kernel vulnerabilities and patches. These steps go beyond generic advice by focusing on proactive monitoring, targeted patching, and operational controls specific to the affected subsystems.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-26935: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: scsi: core: Fix unremoved procfs host directory regression Commit fc663711b944 ("scsi: core: Remove the /proc/scsi/${proc_name} directory earlier") fixed a bug related to modules loading/unloading, by adding a call to scsi_proc_hostdir_rm() on scsi_remove_host(). But that led to a potential duplicate call to the hostdir_rm() routine, since it's also called from scsi_host_dev_release(). That triggered a regression report, which was then fixed by commit be03df3d4bfe ("scsi: core: Fix a procfs host directory removal regression"). The fix just dropped the hostdir_rm() call from dev_release(). But it happens that this proc directory is created on scsi_host_alloc(), and that function "pairs" with scsi_host_dev_release(), while scsi_remove_host() pairs with scsi_add_host(). In other words, it seems the reason for removing the proc directory on dev_release() was meant to cover cases in which a SCSI host structure was allocated, but the call to scsi_add_host() didn't happen. And that pattern happens to exist in some error paths, for example. Syzkaller causes that by using USB raw gadget device, error'ing on usb-storage driver, at usb_stor_probe2(). By checking that path, we can see that the BadDevice label leads to a scsi_host_put() after a SCSI host allocation, but there's no call to scsi_add_host() in such path. That leads to messages like this in dmesg (and a leak of the SCSI host proc structure): usb-storage 4-1:87.51: USB Mass Storage device detected proc_dir_entry 'scsi/usb-storage' already registered WARNING: CPU: 1 PID: 3519 at fs/proc/generic.c:377 proc_register+0x347/0x4e0 fs/proc/generic.c:376 The proper fix seems to still call scsi_proc_hostdir_rm() on dev_release(), but guard that with the state check for SHOST_CREATED; there is even a comment in scsi_host_dev_release() detailing that: such conditional is meant for cases where the SCSI host was allocated but there was no calls to {add,remove}_host(), like the usb-storage case. This is what we propose here and with that, the error path of usb-storage does not trigger the warning anymore.
AI-Powered Analysis
Technical Analysis
CVE-2024-26935 addresses a vulnerability in the Linux kernel's SCSI (Small Computer System Interface) core subsystem related to the handling of procfs host directories. The issue originated from a regression caused by a previous fix that aimed to resolve module loading and unloading bugs. Specifically, the vulnerability involves improper management of the procfs directory associated with SCSI hosts. The procfs directory is created during the allocation of a SCSI host (scsi_host_alloc()) and is supposed to be removed when the host is released. However, due to a flawed sequence of calls and missing state checks, certain error paths—such as those triggered by the USB raw gadget device interacting with the usb-storage driver—can lead to a leak of the SCSI host proc structure. This manifests as warnings in system logs (dmesg) indicating that the proc directory is already registered, which implies a resource leak and potential instability. The root cause is that in some error scenarios, the SCSI host is allocated but never fully added (scsi_add_host() is not called), causing the removal routine to be skipped or called improperly. The proposed fix involves reinstating the removal call (scsi_proc_hostdir_rm()) during device release but guarded by a state check for SHOST_CREATED, ensuring that the proc directory is only removed if it was properly created. This correction prevents the warning messages and resource leaks without reintroducing the original regression. Although this vulnerability does not directly lead to remote code execution or privilege escalation, it affects kernel resource management and stability, particularly in systems using USB storage devices and SCSI subsystems. The issue is primarily a kernel-level resource leak and warning generation, which could potentially be exploited to cause denial of service through resource exhaustion or kernel instability under specific conditions.
Potential Impact
For European organizations, this vulnerability primarily poses a risk to system stability and reliability rather than direct data compromise. Organizations relying on Linux servers, especially those utilizing USB storage devices or SCSI subsystems extensively (e.g., data centers, cloud providers, and enterprises with Linux-based infrastructure), may experience kernel warnings and potential resource leaks that could degrade system performance or lead to denial of service conditions. Although no known exploits are reported in the wild, persistent resource leaks in critical infrastructure could increase maintenance overhead and risk of unexpected downtime. This is particularly relevant for industries with high availability requirements such as finance, telecommunications, healthcare, and manufacturing. Additionally, organizations with strict compliance and security monitoring may find the kernel warnings disruptive or indicative of underlying system issues that require prompt attention. However, since this vulnerability does not allow unauthorized access or privilege escalation, the confidentiality and integrity of data are not directly threatened. The main concern is availability and operational continuity.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Apply the official Linux kernel patches that include the fix for CVE-2024-26935 as soon as they become available from their Linux distribution vendors or upstream kernel sources. 2) Monitor system logs (dmesg) for warnings related to 'proc_dir_entry already registered' or similar messages indicating procfs host directory leaks, which can help identify affected systems. 3) For systems using USB storage devices or SCSI subsystems, conduct targeted testing after patching to ensure that error paths no longer produce warnings or leaks. 4) Implement kernel live patching solutions where possible to reduce downtime during patch deployment. 5) Maintain updated inventories of Linux kernel versions in use across infrastructure to prioritize patching efforts. 6) Consider isolating or limiting the use of USB raw gadget devices in sensitive environments until patches are applied, as these devices trigger the problematic error path. 7) Engage with Linux distribution security advisories and subscribe to relevant mailing lists to receive timely updates on kernel vulnerabilities and patches. These steps go beyond generic advice by focusing on proactive monitoring, targeted patching, and operational controls specific to the affected subsystems.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.196Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9821c4522896dcbddb87
Added to database: 5/21/2025, 9:08:49 AM
Last enriched: 6/28/2025, 2:54:54 AM
Last updated: 8/12/2025, 12:41:21 PM
Views: 14
Related Threats
CVE-2025-20048: Escalation of Privilege in Intel(R) Trace Analyzer and Collector software
MediumCVE-2025-20037: Escalation of Privilege in Intel(R) Converged Security and Management Engine
MediumCVE-2025-20025: Denial of Service in TinyCBOR libraries maintained by Intel(R)
MediumCVE-2025-20023: Escalation of Privilege in Intel(R) Graphics Driver software installers
MediumCVE-2025-20017: Escalation of Privilege in Intel(R) oneAPI Toolkit and component software installers
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.