CVE-2024-26943 is a vulnerability identified in the Linux kernel specifically within the nouveau driver component responsible for managing GPU memory (dmem). The root cause of the vulnerability lies in the handling of memory allocation failures during the eviction of memory chunks. The function nouveau_dmem_evict_chunk() uses kcalloc() to allocate memory for tracking pages to be evicted. However, if physical memory is exhausted, kcalloc() can return a null pointer. The original code did not properly check for this failure and proceeded to dereference pointers such as src_pfns, dst_pfns, or dma_addrs, leading to a null pointer dereference. This results in a kernel crash or denial of service (DoS) due to the null pointer dereference. Additionally, the vulnerability impacts the eviction process of GPU memory pages, potentially leaving some pages mapped and not properly evicted, which could cause instability or unexpected GPU behavior. The patch introduced to fix this vulnerability includes two key changes: first, the allocation call was changed from kcalloc() to kvcalloc(), which does not require physically contiguous memory and reduces the chance of allocation failure; second, the __GFP_NOFAIL flag was added to the allocation call to ensure the allocation does not fail, effectively preventing null pointer dereferences. This vulnerability is a stability and availability risk rather than a direct confidentiality or integrity compromise. It does not appear to allow privilege escalation or arbitrary code execution but can cause system crashes or GPU malfunction if triggered. No known exploits are currently reported in the wild. The vulnerability affects Linux kernel versions that include the nouveau driver with the described memory allocation logic. Since the nouveau driver is an open-source NVIDIA GPU driver integrated into the Linux kernel, systems using NVIDIA GPUs with this driver are potentially affected. The vulnerability was published on May 1, 2024, and no CVSS score has been assigned yet.

For European organizations, the primary impact of CVE-2024-26943 is on system availability and stability, particularly for those relying on Linux systems with NVIDIA GPUs using the nouveau driver. This includes data centers, research institutions, and enterprises running GPU-accelerated workloads such as machine learning, scientific computing, or graphics rendering. A successful exploitation would lead to kernel crashes or GPU malfunctions, causing service interruptions and potential downtime. While this does not directly compromise data confidentiality or integrity, the disruption of critical GPU-accelerated services could have operational and financial consequences. Organizations with high availability requirements or those running GPU-dependent applications need to be particularly cautious. Since the vulnerability does not require user interaction or authentication to trigger (it is a kernel-level null pointer dereference), any process with access to the GPU driver could potentially cause a denial of service, increasing the risk surface. However, exploitation complexity is moderate as it requires triggering specific GPU memory eviction conditions. The lack of known exploits in the wild reduces immediate risk but patching remains important to prevent future exploitation attempts.

European organizations should apply the latest Linux kernel updates that include the patch for CVE-2024-26943 as soon as they become available. Specifically, ensure that the kernel version includes the switch from kcalloc() to kvcalloc() with the __GFP_NOFAIL flag in the nouveau driver. For environments where immediate patching is not feasible, consider the following mitigations: limit access to GPU resources to trusted users and processes only, monitor kernel logs for null pointer dereference or nouveau driver errors indicating potential exploitation attempts, and implement system-level resource limits to prevent memory exhaustion scenarios that could trigger the vulnerability. Additionally, organizations should evaluate the necessity of using the nouveau driver versus the proprietary NVIDIA driver, which may not be affected by this issue. For critical GPU workloads, consider isolating GPU resources in containerized or virtualized environments to contain potential crashes. Regularly audit and update GPU drivers and kernel versions as part of patch management policies to reduce exposure to similar vulnerabilities.