CVE-2024-26960: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: mm: swap: fix race between free_swap_and_cache() and swapoff() There was previously a theoretical window where swapoff() could run and teardown a swap_info_struct while a call to free_swap_and_cache() was running in another thread. This could cause, amongst other bad possibilities, swap_page_trans_huge_swapped() (called by free_swap_and_cache()) to access the freed memory for swap_map. This is a theoretical problem and I haven't been able to provoke it from a test case. But there has been agreement based on code review that this is possible (see link below). Fix it by using get_swap_device()/put_swap_device(), which will stall swapoff(). There was an extra check in _swap_info_get() to confirm that the swap entry was not free. This isn't present in get_swap_device() because it doesn't make sense in general due to the race between getting the reference and swapoff. So I've added an equivalent check directly in free_swap_and_cache(). Details of how to provoke one possible issue (thanks to David Hildenbrand for deriving this): --8<----- __swap_entry_free() might be the last user and result in "count == SWAP_HAS_CACHE". swapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0. So the question is: could someone reclaim the folio and turn si->inuse_pages==0, before we completed swap_page_trans_huge_swapped(). Imagine the following: 2 MiB folio in the swapcache. Only 2 subpages are still references by swap entries. Process 1 still references subpage 0 via swap entry. Process 2 still references subpage 1 via swap entry. Process 1 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE [then, preempted in the hypervisor etc.] Process 2 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE Process 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls __try_to_reclaim_swap(). __try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()-> put_swap_folio()->free_swap_slot()->swapcache_free_entries()-> swap_entry_free()->swap_range_free()-> ... WRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries); What stops swapoff to succeed after process 2 reclaimed the swap cache but before process1 finished its call to swap_page_trans_huge_swapped()? --8<-----
AI Analysis
Technical Summary
CVE-2024-26960 is a medium-severity vulnerability in the Linux kernel's memory management subsystem, specifically related to swap management. The issue arises from a race condition between two kernel functions: free_swap_and_cache() and swapoff(). In Linux, swapoff() is used to disable swap devices, and free_swap_and_cache() is responsible for freeing swap cache entries. The vulnerability occurs because swapoff() can teardown a swap_info_struct (the kernel's internal structure representing a swap device) while free_swap_and_cache() is concurrently running in another thread. This race condition can lead to free_swap_and_cache() accessing freed memory, particularly the swap_map, which tracks swap pages. Although the vulnerability is described as theoretical and no test case has successfully provoked it, code review confirms its plausibility. The root cause is that swapoff() may proceed to unuse swap pages and free swap cache entries while free_swap_and_cache() is still operating, potentially causing use-after-free conditions. The fix involves synchronizing these operations by using get_swap_device() and put_swap_device() calls to stall swapoff() until free_swap_and_cache() completes, and adding additional checks in free_swap_and_cache() to ensure swap entries are valid before access. The vulnerability is classified under CWE-362 (Race Condition) and has a CVSS v3.1 base score of 5.5, indicating medium severity. The attack vector requires local access with low privileges and no user interaction, and the impact is limited to availability (potential kernel crashes or system instability) without confidentiality or integrity compromise. No known exploits are reported in the wild at this time.
Potential Impact
For European organizations, the impact of CVE-2024-26960 primarily concerns system stability and availability. Linux is widely used across European enterprises, government agencies, and critical infrastructure, often as the backbone for servers, cloud environments, and embedded systems. A successful exploitation could cause kernel crashes or denial of service conditions, disrupting business operations, especially in environments relying on swap for memory management under heavy load. Although the vulnerability does not directly expose confidential data or allow privilege escalation, the resulting system instability could lead to downtime, impacting services and potentially causing cascading failures in dependent systems. Organizations with high availability requirements, such as financial institutions, healthcare providers, and telecommunications companies, may face operational risks if affected systems are not patched promptly. The lack of known exploits reduces immediate risk, but the theoretical nature of the race condition means that under specific workloads or timing conditions, exploitation could be feasible, especially in multi-threaded or virtualized environments common in European data centers.
Mitigation Recommendations
European organizations should prioritize applying the official Linux kernel patches that address this race condition as soon as they become available. Until patches are deployed, system administrators should monitor swap usage and consider minimizing swapoff operations or scheduling them during maintenance windows to reduce concurrency risks. Employing kernel live patching solutions where supported can reduce downtime and exposure. Additionally, organizations should audit and limit local user privileges to prevent untrusted users from triggering swapoff or related operations. Implementing robust monitoring for kernel crashes and unusual swap activity can provide early warning signs of exploitation attempts. For virtualized environments, ensuring hypervisor and guest kernel versions are up to date can mitigate compounded risks. Finally, incorporating this vulnerability into vulnerability management and incident response plans will help maintain operational resilience.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-26960: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: mm: swap: fix race between free_swap_and_cache() and swapoff() There was previously a theoretical window where swapoff() could run and teardown a swap_info_struct while a call to free_swap_and_cache() was running in another thread. This could cause, amongst other bad possibilities, swap_page_trans_huge_swapped() (called by free_swap_and_cache()) to access the freed memory for swap_map. This is a theoretical problem and I haven't been able to provoke it from a test case. But there has been agreement based on code review that this is possible (see link below). Fix it by using get_swap_device()/put_swap_device(), which will stall swapoff(). There was an extra check in _swap_info_get() to confirm that the swap entry was not free. This isn't present in get_swap_device() because it doesn't make sense in general due to the race between getting the reference and swapoff. So I've added an equivalent check directly in free_swap_and_cache(). Details of how to provoke one possible issue (thanks to David Hildenbrand for deriving this): --8<----- __swap_entry_free() might be the last user and result in "count == SWAP_HAS_CACHE". swapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0. So the question is: could someone reclaim the folio and turn si->inuse_pages==0, before we completed swap_page_trans_huge_swapped(). Imagine the following: 2 MiB folio in the swapcache. Only 2 subpages are still references by swap entries. Process 1 still references subpage 0 via swap entry. Process 2 still references subpage 1 via swap entry. Process 1 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE [then, preempted in the hypervisor etc.] Process 2 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE Process 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls __try_to_reclaim_swap(). __try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()-> put_swap_folio()->free_swap_slot()->swapcache_free_entries()-> swap_entry_free()->swap_range_free()-> ... WRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries); What stops swapoff to succeed after process 2 reclaimed the swap cache but before process1 finished its call to swap_page_trans_huge_swapped()? --8<-----
AI-Powered Analysis
Technical Analysis
CVE-2024-26960 is a medium-severity vulnerability in the Linux kernel's memory management subsystem, specifically related to swap management. The issue arises from a race condition between two kernel functions: free_swap_and_cache() and swapoff(). In Linux, swapoff() is used to disable swap devices, and free_swap_and_cache() is responsible for freeing swap cache entries. The vulnerability occurs because swapoff() can teardown a swap_info_struct (the kernel's internal structure representing a swap device) while free_swap_and_cache() is concurrently running in another thread. This race condition can lead to free_swap_and_cache() accessing freed memory, particularly the swap_map, which tracks swap pages. Although the vulnerability is described as theoretical and no test case has successfully provoked it, code review confirms its plausibility. The root cause is that swapoff() may proceed to unuse swap pages and free swap cache entries while free_swap_and_cache() is still operating, potentially causing use-after-free conditions. The fix involves synchronizing these operations by using get_swap_device() and put_swap_device() calls to stall swapoff() until free_swap_and_cache() completes, and adding additional checks in free_swap_and_cache() to ensure swap entries are valid before access. The vulnerability is classified under CWE-362 (Race Condition) and has a CVSS v3.1 base score of 5.5, indicating medium severity. The attack vector requires local access with low privileges and no user interaction, and the impact is limited to availability (potential kernel crashes or system instability) without confidentiality or integrity compromise. No known exploits are reported in the wild at this time.
Potential Impact
For European organizations, the impact of CVE-2024-26960 primarily concerns system stability and availability. Linux is widely used across European enterprises, government agencies, and critical infrastructure, often as the backbone for servers, cloud environments, and embedded systems. A successful exploitation could cause kernel crashes or denial of service conditions, disrupting business operations, especially in environments relying on swap for memory management under heavy load. Although the vulnerability does not directly expose confidential data or allow privilege escalation, the resulting system instability could lead to downtime, impacting services and potentially causing cascading failures in dependent systems. Organizations with high availability requirements, such as financial institutions, healthcare providers, and telecommunications companies, may face operational risks if affected systems are not patched promptly. The lack of known exploits reduces immediate risk, but the theoretical nature of the race condition means that under specific workloads or timing conditions, exploitation could be feasible, especially in multi-threaded or virtualized environments common in European data centers.
Mitigation Recommendations
European organizations should prioritize applying the official Linux kernel patches that address this race condition as soon as they become available. Until patches are deployed, system administrators should monitor swap usage and consider minimizing swapoff operations or scheduling them during maintenance windows to reduce concurrency risks. Employing kernel live patching solutions where supported can reduce downtime and exposure. Additionally, organizations should audit and limit local user privileges to prevent untrusted users from triggering swapoff or related operations. Implementing robust monitoring for kernel crashes and unusual swap activity can provide early warning signs of exploitation attempts. For virtualized environments, ensuring hypervisor and guest kernel versions are up to date can mitigate compounded risks. Finally, incorporating this vulnerability into vulnerability management and incident response plans will help maintain operational resilience.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.201Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9829c4522896dcbe2f2f
Added to database: 5/21/2025, 9:08:57 AM
Last enriched: 6/29/2025, 1:40:14 PM
Last updated: 8/15/2025, 3:44:27 AM
Views: 10
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.