CVE-2024-26976: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: KVM: Always flush async #PF workqueue when vCPU is being destroyed Always flush the per-vCPU async #PF workqueue when a vCPU is clearing its completion queue, e.g. when a VM and all its vCPUs is being destroyed. KVM must ensure that none of its workqueue callbacks is running when the last reference to the KVM _module_ is put. Gifting a reference to the associated VM prevents the workqueue callback from dereferencing freed vCPU/VM memory, but does not prevent the KVM module from being unloaded before the callback completes. Drop the misguided VM refcount gifting, as calling kvm_put_kvm() from async_pf_execute() if kvm_put_kvm() flushes the async #PF workqueue will result in deadlock. async_pf_execute() can't return until kvm_put_kvm() finishes, and kvm_put_kvm() can't return until async_pf_execute() finishes: WARNING: CPU: 8 PID: 251 at virt/kvm/kvm_main.c:1435 kvm_put_kvm+0x2d/0x320 [kvm] Modules linked in: vhost_net vhost vhost_iotlb tap kvm_intel kvm irqbypass CPU: 8 PID: 251 Comm: kworker/8:1 Tainted: G W 6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Workqueue: events async_pf_execute [kvm] RIP: 0010:kvm_put_kvm+0x2d/0x320 [kvm] Call Trace: <TASK> async_pf_execute+0x198/0x260 [kvm] process_one_work+0x145/0x2d0 worker_thread+0x27e/0x3a0 kthread+0xba/0xe0 ret_from_fork+0x2d/0x50 ret_from_fork_asm+0x11/0x20 </TASK> ---[ end trace 0000000000000000 ]--- INFO: task kworker/8:1:251 blocked for more than 120 seconds. Tainted: G W 6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/8:1 state:D stack:0 pid:251 ppid:2 flags:0x00004000 Workqueue: events async_pf_execute [kvm] Call Trace: <TASK> __schedule+0x33f/0xa40 schedule+0x53/0xc0 schedule_timeout+0x12a/0x140 __wait_for_common+0x8d/0x1d0 __flush_work.isra.0+0x19f/0x2c0 kvm_clear_async_pf_completion_queue+0x129/0x190 [kvm] kvm_arch_destroy_vm+0x78/0x1b0 [kvm] kvm_put_kvm+0x1c1/0x320 [kvm] async_pf_execute+0x198/0x260 [kvm] process_one_work+0x145/0x2d0 worker_thread+0x27e/0x3a0 kthread+0xba/0xe0 ret_from_fork+0x2d/0x50 ret_from_fork_asm+0x11/0x20 </TASK> If kvm_clear_async_pf_completion_queue() actually flushes the workqueue, then there's no need to gift async_pf_execute() a reference because all invocations of async_pf_execute() will be forced to complete before the vCPU and its VM are destroyed/freed. And that in turn fixes the module unloading bug as __fput() won't do module_put() on the last vCPU reference until the vCPU has been freed, e.g. if closing the vCPU file also puts the last reference to the KVM module. Note that kvm_check_async_pf_completion() may also take the work item off the completion queue and so also needs to flush the work queue, as the work will not be seen by kvm_clear_async_pf_completion_queue(). Waiting on the workqueue could theoretically delay a vCPU due to waiting for the work to complete, but that's a very, very small chance, and likely a very small delay. kvm_arch_async_page_present_queued() unconditionally makes a new request, i.e. will effectively delay entering the guest, so the remaining work is really just: trace_kvm_async_pf_completed(addr, cr2_or_gpa); __kvm_vcpu_wake_up(vcpu); mmput(mm); and mmput() can't drop the last reference to the page tables if the vCPU is still alive, i.e. the vCPU won't get stuck tearing down page tables. Add a helper to do the flushing, specifically to deal with "wakeup all" work items, as they aren't actually work items, i.e. are never placed in a workqueue. Trying to flush a bogus workqueue entry rightly makes __flush_work() complain (kudos to whoever added that sanity check). Note, commit 5f6de5cbebee ("KVM: Prevent module exit until al ---truncated---
AI Analysis
Technical Summary
CVE-2024-26976 is a high-severity vulnerability in the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem. The issue arises from improper handling of asynchronous page fault (#PF) workqueues associated with virtual CPUs (vCPUs) when a virtual machine (VM) and its vCPUs are being destroyed. Specifically, the vulnerability involves the failure to always flush the per-vCPU async #PF workqueue during vCPU teardown, which can lead to race conditions where workqueue callbacks attempt to dereference freed vCPU or VM memory. This improper synchronization can cause use-after-free conditions, kernel crashes, or deadlocks. The vulnerability is rooted in the logic that previously attempted to gift a reference count of the VM to the async_pf_execute() function to prevent premature memory dereferencing. However, this approach introduced a deadlock scenario because async_pf_execute() waits for kvm_put_kvm() to finish, and vice versa, creating a circular wait. The fix involves removing the misguided VM reference gifting and ensuring that the async #PF workqueue is always flushed before the vCPU and VM memory are freed. This guarantees that no workqueue callbacks are running when the last reference to the KVM module is released, preventing module unloading issues and potential kernel panics. The vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption) due to the potential for deadlocks and hangs. The CVSS v3.1 score is 7.0 (High), reflecting the requirement for local access with low privileges and high impact on confidentiality, integrity, and availability. Exploitation does not require user interaction but does require local privileges and high attack complexity. No known exploits are currently reported in the wild. The vulnerability affects Linux kernel versions containing the affected commit hashes, typically impacting systems running KVM virtualization on Linux kernels around version 6.6.0-rc1 and similar. The issue is particularly relevant for environments heavily utilizing KVM virtualization, such as cloud providers, data centers, and enterprises running virtualized workloads on Linux hosts.
Potential Impact
For European organizations, this vulnerability poses significant risks, especially those relying on Linux-based virtualization infrastructure using KVM. The potential impacts include system instability, denial of service due to kernel deadlocks or crashes, and possible escalation of privileges if attackers can exploit the race conditions to execute arbitrary code in kernel context. Confidentiality and integrity of virtualized workloads could be compromised if attackers manipulate the asynchronous page fault handling to access or corrupt memory. Organizations running private clouds, public cloud services, or virtualized environments in sectors such as finance, telecommunications, government, and critical infrastructure are particularly at risk. Disruptions could lead to service outages, data breaches, and compliance violations under regulations like GDPR. The requirement for local access limits remote exploitation but insider threats or compromised user accounts could leverage this vulnerability. The absence of known exploits reduces immediate risk but patching is critical to prevent future attacks, especially as KVM is widely used across European data centers and cloud providers.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernels with the updated KVM fixes that ensure proper flushing of async #PF workqueues during vCPU teardown. Specifically, they should: 1) Identify all Linux hosts running KVM virtualization and verify kernel versions against the affected commit hashes or CVE advisories. 2) Apply vendor-provided kernel patches or upgrade to Linux kernel versions where this vulnerability is resolved. 3) Implement strict access controls and monitoring on hosts running KVM to limit local user privileges and detect suspicious activities related to vCPU or VM destruction. 4) Use kernel live patching solutions where available to minimize downtime during patch deployment. 5) Conduct thorough testing in staging environments to ensure stability post-patch, given the complexity of kernel workqueue handling. 6) Review and harden virtualization management workflows to prevent unauthorized VM or vCPU destruction requests. 7) Maintain up-to-date incident response plans for kernel-level vulnerabilities and monitor security advisories for any emerging exploit techniques related to this CVE. These steps go beyond generic advice by focusing on the virtualization-specific nature of the vulnerability and the operational practices around KVM environments.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Ireland, Italy, Spain, Poland
CVE-2024-26976: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: KVM: Always flush async #PF workqueue when vCPU is being destroyed Always flush the per-vCPU async #PF workqueue when a vCPU is clearing its completion queue, e.g. when a VM and all its vCPUs is being destroyed. KVM must ensure that none of its workqueue callbacks is running when the last reference to the KVM _module_ is put. Gifting a reference to the associated VM prevents the workqueue callback from dereferencing freed vCPU/VM memory, but does not prevent the KVM module from being unloaded before the callback completes. Drop the misguided VM refcount gifting, as calling kvm_put_kvm() from async_pf_execute() if kvm_put_kvm() flushes the async #PF workqueue will result in deadlock. async_pf_execute() can't return until kvm_put_kvm() finishes, and kvm_put_kvm() can't return until async_pf_execute() finishes: WARNING: CPU: 8 PID: 251 at virt/kvm/kvm_main.c:1435 kvm_put_kvm+0x2d/0x320 [kvm] Modules linked in: vhost_net vhost vhost_iotlb tap kvm_intel kvm irqbypass CPU: 8 PID: 251 Comm: kworker/8:1 Tainted: G W 6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Workqueue: events async_pf_execute [kvm] RIP: 0010:kvm_put_kvm+0x2d/0x320 [kvm] Call Trace: <TASK> async_pf_execute+0x198/0x260 [kvm] process_one_work+0x145/0x2d0 worker_thread+0x27e/0x3a0 kthread+0xba/0xe0 ret_from_fork+0x2d/0x50 ret_from_fork_asm+0x11/0x20 </TASK> ---[ end trace 0000000000000000 ]--- INFO: task kworker/8:1:251 blocked for more than 120 seconds. Tainted: G W 6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/8:1 state:D stack:0 pid:251 ppid:2 flags:0x00004000 Workqueue: events async_pf_execute [kvm] Call Trace: <TASK> __schedule+0x33f/0xa40 schedule+0x53/0xc0 schedule_timeout+0x12a/0x140 __wait_for_common+0x8d/0x1d0 __flush_work.isra.0+0x19f/0x2c0 kvm_clear_async_pf_completion_queue+0x129/0x190 [kvm] kvm_arch_destroy_vm+0x78/0x1b0 [kvm] kvm_put_kvm+0x1c1/0x320 [kvm] async_pf_execute+0x198/0x260 [kvm] process_one_work+0x145/0x2d0 worker_thread+0x27e/0x3a0 kthread+0xba/0xe0 ret_from_fork+0x2d/0x50 ret_from_fork_asm+0x11/0x20 </TASK> If kvm_clear_async_pf_completion_queue() actually flushes the workqueue, then there's no need to gift async_pf_execute() a reference because all invocations of async_pf_execute() will be forced to complete before the vCPU and its VM are destroyed/freed. And that in turn fixes the module unloading bug as __fput() won't do module_put() on the last vCPU reference until the vCPU has been freed, e.g. if closing the vCPU file also puts the last reference to the KVM module. Note that kvm_check_async_pf_completion() may also take the work item off the completion queue and so also needs to flush the work queue, as the work will not be seen by kvm_clear_async_pf_completion_queue(). Waiting on the workqueue could theoretically delay a vCPU due to waiting for the work to complete, but that's a very, very small chance, and likely a very small delay. kvm_arch_async_page_present_queued() unconditionally makes a new request, i.e. will effectively delay entering the guest, so the remaining work is really just: trace_kvm_async_pf_completed(addr, cr2_or_gpa); __kvm_vcpu_wake_up(vcpu); mmput(mm); and mmput() can't drop the last reference to the page tables if the vCPU is still alive, i.e. the vCPU won't get stuck tearing down page tables. Add a helper to do the flushing, specifically to deal with "wakeup all" work items, as they aren't actually work items, i.e. are never placed in a workqueue. Trying to flush a bogus workqueue entry rightly makes __flush_work() complain (kudos to whoever added that sanity check). Note, commit 5f6de5cbebee ("KVM: Prevent module exit until al ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-26976 is a high-severity vulnerability in the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem. The issue arises from improper handling of asynchronous page fault (#PF) workqueues associated with virtual CPUs (vCPUs) when a virtual machine (VM) and its vCPUs are being destroyed. Specifically, the vulnerability involves the failure to always flush the per-vCPU async #PF workqueue during vCPU teardown, which can lead to race conditions where workqueue callbacks attempt to dereference freed vCPU or VM memory. This improper synchronization can cause use-after-free conditions, kernel crashes, or deadlocks. The vulnerability is rooted in the logic that previously attempted to gift a reference count of the VM to the async_pf_execute() function to prevent premature memory dereferencing. However, this approach introduced a deadlock scenario because async_pf_execute() waits for kvm_put_kvm() to finish, and vice versa, creating a circular wait. The fix involves removing the misguided VM reference gifting and ensuring that the async #PF workqueue is always flushed before the vCPU and VM memory are freed. This guarantees that no workqueue callbacks are running when the last reference to the KVM module is released, preventing module unloading issues and potential kernel panics. The vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption) due to the potential for deadlocks and hangs. The CVSS v3.1 score is 7.0 (High), reflecting the requirement for local access with low privileges and high impact on confidentiality, integrity, and availability. Exploitation does not require user interaction but does require local privileges and high attack complexity. No known exploits are currently reported in the wild. The vulnerability affects Linux kernel versions containing the affected commit hashes, typically impacting systems running KVM virtualization on Linux kernels around version 6.6.0-rc1 and similar. The issue is particularly relevant for environments heavily utilizing KVM virtualization, such as cloud providers, data centers, and enterprises running virtualized workloads on Linux hosts.
Potential Impact
For European organizations, this vulnerability poses significant risks, especially those relying on Linux-based virtualization infrastructure using KVM. The potential impacts include system instability, denial of service due to kernel deadlocks or crashes, and possible escalation of privileges if attackers can exploit the race conditions to execute arbitrary code in kernel context. Confidentiality and integrity of virtualized workloads could be compromised if attackers manipulate the asynchronous page fault handling to access or corrupt memory. Organizations running private clouds, public cloud services, or virtualized environments in sectors such as finance, telecommunications, government, and critical infrastructure are particularly at risk. Disruptions could lead to service outages, data breaches, and compliance violations under regulations like GDPR. The requirement for local access limits remote exploitation but insider threats or compromised user accounts could leverage this vulnerability. The absence of known exploits reduces immediate risk but patching is critical to prevent future attacks, especially as KVM is widely used across European data centers and cloud providers.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernels with the updated KVM fixes that ensure proper flushing of async #PF workqueues during vCPU teardown. Specifically, they should: 1) Identify all Linux hosts running KVM virtualization and verify kernel versions against the affected commit hashes or CVE advisories. 2) Apply vendor-provided kernel patches or upgrade to Linux kernel versions where this vulnerability is resolved. 3) Implement strict access controls and monitoring on hosts running KVM to limit local user privileges and detect suspicious activities related to vCPU or VM destruction. 4) Use kernel live patching solutions where available to minimize downtime during patch deployment. 5) Conduct thorough testing in staging environments to ensure stability post-patch, given the complexity of kernel workqueue handling. 6) Review and harden virtualization management workflows to prevent unauthorized VM or vCPU destruction requests. 7) Maintain up-to-date incident response plans for kernel-level vulnerabilities and monitor security advisories for any emerging exploit techniques related to this CVE. These steps go beyond generic advice by focusing on the virtualization-specific nature of the vulnerability and the operational practices around KVM environments.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.203Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9829c4522896dcbe2fa9
Added to database: 5/21/2025, 9:08:57 AM
Last enriched: 7/3/2025, 1:25:20 AM
Last updated: 8/11/2025, 5:44:30 PM
Views: 22
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.