CVE-2024-26937: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: drm/i915/gt: Reset queue_priority_hint on parking Originally, with strict in order execution, we could complete execution only when the queue was empty. Preempt-to-busy allows replacement of an active request that may complete before the preemption is processed by HW. If that happens, the request is retired from the queue, but the queue_priority_hint remains set, preventing direct submission until after the next CS interrupt is processed. This preempt-to-busy race can be triggered by the heartbeat, which will also act as the power-management barrier and upon completion allow us to idle the HW. We may process the completion of the heartbeat, and begin parking the engine before the CS event that restores the queue_priority_hint, causing us to fail the assertion that it is MIN. <3>[ 166.210729] __engine_park:283 GEM_BUG_ON(engine->sched_engine->queue_priority_hint != (-((int)(~0U >> 1)) - 1)) <0>[ 166.210781] Dumping ftrace buffer: <0>[ 166.210795] --------------------------------- ... <0>[ 167.302811] drm_fdin-1097 2..s1. 165741070us : trace_ports: 0000:00:02.0 rcs0: promote { ccid:20 1217:2 prio 0 } <0>[ 167.302861] drm_fdin-1097 2d.s2. 165741072us : execlists_submission_tasklet: 0000:00:02.0 rcs0: preempting last=1217:2, prio=0, hint=2147483646 <0>[ 167.302928] drm_fdin-1097 2d.s2. 165741072us : __i915_request_unsubmit: 0000:00:02.0 rcs0: fence 1217:2, current 0 <0>[ 167.302992] drm_fdin-1097 2d.s2. 165741073us : __i915_request_submit: 0000:00:02.0 rcs0: fence 3:4660, current 4659 <0>[ 167.303044] drm_fdin-1097 2d.s1. 165741076us : execlists_submission_tasklet: 0000:00:02.0 rcs0: context:3 schedule-in, ccid:40 <0>[ 167.303095] drm_fdin-1097 2d.s1. 165741077us : trace_ports: 0000:00:02.0 rcs0: submit { ccid:40 3:4660* prio 2147483646 } <0>[ 167.303159] kworker/-89 11..... 165741139us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence c90:2, current 2 <0>[ 167.303208] kworker/-89 11..... 165741148us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:c90 unpin <0>[ 167.303272] kworker/-89 11..... 165741159us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 1217:2, current 2 <0>[ 167.303321] kworker/-89 11..... 165741166us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:1217 unpin <0>[ 167.303384] kworker/-89 11..... 165741170us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 3:4660, current 4660 <0>[ 167.303434] kworker/-89 11d..1. 165741172us : __intel_context_retire: 0000:00:02.0 rcs0: context:1216 retire runtime: { total:56028ns, avg:56028ns } <0>[ 167.303484] kworker/-89 11..... 165741198us : __engine_park: 0000:00:02.0 rcs0: parked <0>[ 167.303534] <idle>-0 5d.H3. 165741207us : execlists_irq_handler: 0000:00:02.0 rcs0: semaphore yield: 00000040 <0>[ 167.303583] kworker/-89 11..... 165741397us : __intel_context_retire: 0000:00:02.0 rcs0: context:1217 retire runtime: { total:325575ns, avg:0ns } <0>[ 167.303756] kworker/-89 11..... 165741777us : __intel_context_retire: 0000:00:02.0 rcs0: context:c90 retire runtime: { total:0ns, avg:0ns } <0>[ 167.303806] kworker/-89 11..... 165742017us : __engine_park: __engine_park:283 GEM_BUG_ON(engine->sched_engine->queue_priority_hint != (-((int)(~0U >> 1)) - 1)) <0>[ 167.303811] --------------------------------- <4>[ 167.304722] ------------[ cut here ]------------ <2>[ 167.304725] kernel BUG at drivers/gpu/drm/i915/gt/intel_engine_pm.c:283! <4>[ 167.304731] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI <4>[ 167.304734] CPU: 11 PID: 89 Comm: kworker/11:1 Tainted: G W 6.8.0-rc2-CI_DRM_14193-gc655e0fd2804+ #1 <4>[ 167.304736] Hardware name: Intel Corporation Rocket Lake Client Platform/RocketLake S UDIMM 6L RVP, BIOS RKLSFWI1.R00.3173.A03.2204210138 04/21/2022 <4>[ 167.304738] Workqueue: i915-unordered retire_work_handler [i915] <4>[ 16 ---truncated---
AI Analysis
Technical Summary
CVE-2024-26937 is a vulnerability identified in the Linux kernel's Intel i915 graphics driver, specifically within the GPU engine power management and scheduling subsystem. The flaw arises from a race condition related to the handling of the queue_priority_hint variable during GPU request preemption and parking operations. Under normal strict in-order execution, GPU requests complete only when the queue is empty. However, with the introduction of preempt-to-busy functionality, an active GPU request can be replaced before the hardware processes the preemption, potentially causing the request to retire prematurely while the queue_priority_hint remains incorrectly set. This inconsistency prevents direct submission of new requests until the next command streamer (CS) interrupt occurs. The race can be triggered by the GPU heartbeat mechanism, which acts as a power management barrier. If the heartbeat completion and engine parking occur before the CS event that resets queue_priority_hint, it leads to a failed assertion and a kernel BUG, causing the system to crash or hang. The vulnerability is rooted in the drm/i915/gt driver code, affecting Intel Rocket Lake and potentially other Intel GPU platforms using this driver. The issue manifests as kernel panics or system instability, impacting availability. There is no indication that this vulnerability allows privilege escalation or data leakage directly, but the resulting denial of service can disrupt critical workloads. The vulnerability has been fixed in recent Linux kernel updates, but no known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, this vulnerability primarily threatens system availability and stability on Linux systems using Intel integrated graphics with the affected i915 driver versions. Enterprises relying on Linux servers, workstations, or embedded devices with Intel GPUs could experience unexpected kernel crashes or system hangs, leading to downtime and potential disruption of business-critical applications. This is particularly impactful for sectors with high availability requirements such as finance, telecommunications, healthcare, and public services. While the vulnerability does not appear to directly compromise confidentiality or integrity, denial of service conditions can indirectly affect operational continuity and service delivery. Organizations running containerized or virtualized environments on affected Linux kernels may also face instability, complicating cloud and edge deployments. The lack of known exploits reduces immediate risk, but the presence of a kernel-level bug in a widely deployed driver necessitates prompt attention to avoid potential exploitation or accidental system failures.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched. Since the issue resides in the i915 driver, kernel updates from trusted Linux distributions (e.g., Debian, Ubuntu, Red Hat, SUSE) should be applied promptly. For environments where immediate kernel upgrades are not feasible, organizations can consider temporarily disabling GPU preemption features or the i915 driver if GPU functionality is non-critical, though this may degrade graphics performance. Monitoring system logs for kernel BUG messages related to __engine_park or queue_priority_hint can help detect attempts to trigger the race condition. Additionally, organizations should maintain robust system backup and recovery procedures to minimize downtime from unexpected crashes. Testing kernel updates in staging environments before production deployment is recommended to ensure compatibility and stability. Finally, engaging with Linux vendor security advisories and subscribing to relevant CVE notifications will help maintain awareness of further developments or exploit disclosures.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2024-26937: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: drm/i915/gt: Reset queue_priority_hint on parking Originally, with strict in order execution, we could complete execution only when the queue was empty. Preempt-to-busy allows replacement of an active request that may complete before the preemption is processed by HW. If that happens, the request is retired from the queue, but the queue_priority_hint remains set, preventing direct submission until after the next CS interrupt is processed. This preempt-to-busy race can be triggered by the heartbeat, which will also act as the power-management barrier and upon completion allow us to idle the HW. We may process the completion of the heartbeat, and begin parking the engine before the CS event that restores the queue_priority_hint, causing us to fail the assertion that it is MIN. <3>[ 166.210729] __engine_park:283 GEM_BUG_ON(engine->sched_engine->queue_priority_hint != (-((int)(~0U >> 1)) - 1)) <0>[ 166.210781] Dumping ftrace buffer: <0>[ 166.210795] --------------------------------- ... <0>[ 167.302811] drm_fdin-1097 2..s1. 165741070us : trace_ports: 0000:00:02.0 rcs0: promote { ccid:20 1217:2 prio 0 } <0>[ 167.302861] drm_fdin-1097 2d.s2. 165741072us : execlists_submission_tasklet: 0000:00:02.0 rcs0: preempting last=1217:2, prio=0, hint=2147483646 <0>[ 167.302928] drm_fdin-1097 2d.s2. 165741072us : __i915_request_unsubmit: 0000:00:02.0 rcs0: fence 1217:2, current 0 <0>[ 167.302992] drm_fdin-1097 2d.s2. 165741073us : __i915_request_submit: 0000:00:02.0 rcs0: fence 3:4660, current 4659 <0>[ 167.303044] drm_fdin-1097 2d.s1. 165741076us : execlists_submission_tasklet: 0000:00:02.0 rcs0: context:3 schedule-in, ccid:40 <0>[ 167.303095] drm_fdin-1097 2d.s1. 165741077us : trace_ports: 0000:00:02.0 rcs0: submit { ccid:40 3:4660* prio 2147483646 } <0>[ 167.303159] kworker/-89 11..... 165741139us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence c90:2, current 2 <0>[ 167.303208] kworker/-89 11..... 165741148us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:c90 unpin <0>[ 167.303272] kworker/-89 11..... 165741159us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 1217:2, current 2 <0>[ 167.303321] kworker/-89 11..... 165741166us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:1217 unpin <0>[ 167.303384] kworker/-89 11..... 165741170us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 3:4660, current 4660 <0>[ 167.303434] kworker/-89 11d..1. 165741172us : __intel_context_retire: 0000:00:02.0 rcs0: context:1216 retire runtime: { total:56028ns, avg:56028ns } <0>[ 167.303484] kworker/-89 11..... 165741198us : __engine_park: 0000:00:02.0 rcs0: parked <0>[ 167.303534] <idle>-0 5d.H3. 165741207us : execlists_irq_handler: 0000:00:02.0 rcs0: semaphore yield: 00000040 <0>[ 167.303583] kworker/-89 11..... 165741397us : __intel_context_retire: 0000:00:02.0 rcs0: context:1217 retire runtime: { total:325575ns, avg:0ns } <0>[ 167.303756] kworker/-89 11..... 165741777us : __intel_context_retire: 0000:00:02.0 rcs0: context:c90 retire runtime: { total:0ns, avg:0ns } <0>[ 167.303806] kworker/-89 11..... 165742017us : __engine_park: __engine_park:283 GEM_BUG_ON(engine->sched_engine->queue_priority_hint != (-((int)(~0U >> 1)) - 1)) <0>[ 167.303811] --------------------------------- <4>[ 167.304722] ------------[ cut here ]------------ <2>[ 167.304725] kernel BUG at drivers/gpu/drm/i915/gt/intel_engine_pm.c:283! <4>[ 167.304731] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI <4>[ 167.304734] CPU: 11 PID: 89 Comm: kworker/11:1 Tainted: G W 6.8.0-rc2-CI_DRM_14193-gc655e0fd2804+ #1 <4>[ 167.304736] Hardware name: Intel Corporation Rocket Lake Client Platform/RocketLake S UDIMM 6L RVP, BIOS RKLSFWI1.R00.3173.A03.2204210138 04/21/2022 <4>[ 167.304738] Workqueue: i915-unordered retire_work_handler [i915] <4>[ 16 ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-26937 is a vulnerability identified in the Linux kernel's Intel i915 graphics driver, specifically within the GPU engine power management and scheduling subsystem. The flaw arises from a race condition related to the handling of the queue_priority_hint variable during GPU request preemption and parking operations. Under normal strict in-order execution, GPU requests complete only when the queue is empty. However, with the introduction of preempt-to-busy functionality, an active GPU request can be replaced before the hardware processes the preemption, potentially causing the request to retire prematurely while the queue_priority_hint remains incorrectly set. This inconsistency prevents direct submission of new requests until the next command streamer (CS) interrupt occurs. The race can be triggered by the GPU heartbeat mechanism, which acts as a power management barrier. If the heartbeat completion and engine parking occur before the CS event that resets queue_priority_hint, it leads to a failed assertion and a kernel BUG, causing the system to crash or hang. The vulnerability is rooted in the drm/i915/gt driver code, affecting Intel Rocket Lake and potentially other Intel GPU platforms using this driver. The issue manifests as kernel panics or system instability, impacting availability. There is no indication that this vulnerability allows privilege escalation or data leakage directly, but the resulting denial of service can disrupt critical workloads. The vulnerability has been fixed in recent Linux kernel updates, but no known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, this vulnerability primarily threatens system availability and stability on Linux systems using Intel integrated graphics with the affected i915 driver versions. Enterprises relying on Linux servers, workstations, or embedded devices with Intel GPUs could experience unexpected kernel crashes or system hangs, leading to downtime and potential disruption of business-critical applications. This is particularly impactful for sectors with high availability requirements such as finance, telecommunications, healthcare, and public services. While the vulnerability does not appear to directly compromise confidentiality or integrity, denial of service conditions can indirectly affect operational continuity and service delivery. Organizations running containerized or virtualized environments on affected Linux kernels may also face instability, complicating cloud and edge deployments. The lack of known exploits reduces immediate risk, but the presence of a kernel-level bug in a widely deployed driver necessitates prompt attention to avoid potential exploitation or accidental system failures.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched. Since the issue resides in the i915 driver, kernel updates from trusted Linux distributions (e.g., Debian, Ubuntu, Red Hat, SUSE) should be applied promptly. For environments where immediate kernel upgrades are not feasible, organizations can consider temporarily disabling GPU preemption features or the i915 driver if GPU functionality is non-critical, though this may degrade graphics performance. Monitoring system logs for kernel BUG messages related to __engine_park or queue_priority_hint can help detect attempts to trigger the race condition. Additionally, organizations should maintain robust system backup and recovery procedures to minimize downtime from unexpected crashes. Testing kernel updates in staging environments before production deployment is recommended to ensure compatibility and stability. Finally, engaging with Linux vendor security advisories and subscribing to relevant CVE notifications will help maintain awareness of further developments or exploit disclosures.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.196Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9829c4522896dcbe2eb1
Added to database: 5/21/2025, 9:08:57 AM
Last enriched: 6/29/2025, 1:25:22 PM
Last updated: 8/18/2025, 11:23:16 PM
Views: 15
Related Threats
CVE-2025-9169: Cross Site Scripting in SolidInvoice
MediumCVE-2025-9168: Cross Site Scripting in SolidInvoice
MediumCVE-2025-8364: Address bar spoofing using an blob URI on Firefox for Android in Mozilla Firefox
HighCVE-2025-8042: Sandboxed iframe could start downloads in Mozilla Firefox
HighCVE-2025-8041: Incorrect URL truncation in Firefox for Android in Mozilla Firefox
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.