CVE-2024-26984: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: nouveau: fix instmem race condition around ptr stores Running a lot of VK CTS in parallel against nouveau, once every few hours you might see something like this crash. BUG: kernel NULL pointer dereference, address: 0000000000000008 PGD 8000000114e6e067 P4D 8000000114e6e067 PUD 109046067 PMD 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 7 PID: 53891 Comm: deqp-vk Not tainted 6.8.0-rc6+ #27 Hardware name: Gigabyte Technology Co., Ltd. Z390 I AORUS PRO WIFI/Z390 I AORUS PRO WIFI-CF, BIOS F8 11/05/2021 RIP: 0010:gp100_vmm_pgt_mem+0xe3/0x180 [nouveau] Code: c7 48 01 c8 49 89 45 58 85 d2 0f 84 95 00 00 00 41 0f b7 46 12 49 8b 7e 08 89 da 42 8d 2c f8 48 8b 47 08 41 83 c7 01 48 89 ee <48> 8b 40 08 ff d0 0f 1f 00 49 8b 7e 08 48 89 d9 48 8d 75 04 48 c1 RSP: 0000:ffffac20c5857838 EFLAGS: 00010202 RAX: 0000000000000000 RBX: 00000000004d8001 RCX: 0000000000000001 RDX: 00000000004d8001 RSI: 00000000000006d8 RDI: ffffa07afe332180 RBP: 00000000000006d8 R08: ffffac20c5857ad0 R09: 0000000000ffff10 R10: 0000000000000001 R11: ffffa07af27e2de0 R12: 000000000000001c R13: ffffac20c5857ad0 R14: ffffa07a96fe9040 R15: 000000000000001c FS: 00007fe395eed7c0(0000) GS:ffffa07e2c980000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 000000011febe001 CR4: 00000000003706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ... ? gp100_vmm_pgt_mem+0xe3/0x180 [nouveau] ? gp100_vmm_pgt_mem+0x37/0x180 [nouveau] nvkm_vmm_iter+0x351/0xa20 [nouveau] ? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nouveau] ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau] ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau] ? __lock_acquire+0x3ed/0x2170 ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau] nvkm_vmm_ptes_get_map+0xc2/0x100 [nouveau] ? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nouveau] ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau] nvkm_vmm_map_locked+0x224/0x3a0 [nouveau] Adding any sort of useful debug usually makes it go away, so I hand wrote the function in a line, and debugged the asm. Every so often pt->memory->ptrs is NULL. This ptrs ptr is set in the nv50_instobj_acquire called from nvkm_kmap. If Thread A and Thread B both get to nv50_instobj_acquire around the same time, and Thread A hits the refcount_set line, and in lockstep thread B succeeds at refcount_inc_not_zero, there is a chance the ptrs value won't have been stored since refcount_set is unordered. Force a memory barrier here, I picked smp_mb, since we want it on all CPUs and it's write followed by a read. v2: use paired smp_rmb/smp_wmb.
AI Analysis
Technical Summary
CVE-2024-26984 is a medium-severity vulnerability identified in the Linux kernel's nouveau driver, which is an open-source driver for NVIDIA GPUs. The issue stems from a race condition in the instmem (instance memory) management code, specifically around pointer stores related to memory management in the virtual memory manager (VMM) for the GPU. The vulnerability manifests as a NULL pointer dereference, leading to kernel crashes (kernel oops) during concurrent execution of Vulkan CTS (Conformance Test Suite) workloads. The root cause is a lack of proper memory barriers around reference count updates and pointer assignments, which can cause one thread to observe a NULL pointer due to out-of-order memory operations. The fix involves inserting appropriate memory barriers (smp_mb) to enforce ordering of writes and reads across CPUs, preventing the race condition. This vulnerability is classified under CWE-362 (Race Condition) and affects Linux kernel versions containing the nouveau driver code prior to the fix. The CVSS v3.1 score is 5.5 (medium), with an attack vector of local (AV:L), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), no confidentiality or integrity impact (C:N/I:N), but causing high availability impact (A:H) due to kernel crashes. No known exploits are reported in the wild yet. The vulnerability primarily affects systems running Linux kernels with the nouveau driver enabled and using NVIDIA GPUs, especially under heavy Vulkan workloads or parallel CTS testing scenarios.
Potential Impact
For European organizations, the impact of CVE-2024-26984 can be significant in environments relying on Linux systems with NVIDIA GPUs using the nouveau driver, particularly in development, testing, or high-performance computing contexts that utilize Vulkan APIs. The vulnerability causes kernel crashes due to NULL pointer dereferences, leading to system instability and potential denial of service (DoS). This can disrupt critical workloads, especially in sectors like research institutions, media production, and technology companies that leverage GPU acceleration on Linux. Although the vulnerability does not allow privilege escalation or data compromise, the availability impact can cause operational downtime and productivity loss. Organizations running containerized or virtualized environments with GPU passthrough may also be affected if the underlying host kernel is vulnerable. Given the local attack vector and requirement for low privileges, attackers with limited access could trigger the crash, potentially as part of a multi-stage attack or to disrupt services. The lack of user interaction requirement means automated or scripted attacks are feasible once local access is obtained. However, the impact is limited to systems using the nouveau driver rather than proprietary NVIDIA drivers, which may reduce the affected population. Still, many European enterprises and research centers use open-source Linux stacks, making this vulnerability relevant.
Mitigation Recommendations
1. Apply Kernel Updates: Immediately update Linux kernels to versions where the nouveau driver includes the fix for CVE-2024-26984. Monitor distributions' security advisories for patches. 2. Use Proprietary NVIDIA Drivers: Where feasible, switch from the nouveau driver to the proprietary NVIDIA drivers, which are not affected by this specific race condition. 3. Limit Local Access: Restrict local user access to trusted personnel only, as exploitation requires local privileges. Harden user permissions and employ strict access controls on systems with vulnerable kernels. 4. Monitor System Stability: Implement monitoring to detect kernel oops or crashes related to GPU workloads, enabling rapid response and mitigation. 5. Control Workload Parallelism: Reduce or control the concurrency of Vulkan CTS or similar GPU-intensive workloads to minimize triggering the race condition until patches are applied. 6. Use Kernel Lockdown Features: Enable kernel lockdown or secure boot features where supported to reduce the risk of local privilege escalation attempts that could leverage this vulnerability. 7. Test Updates in Staging: Before deploying kernel updates in production, test in staging environments to ensure compatibility and stability, especially for GPU-accelerated applications.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2024-26984: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: nouveau: fix instmem race condition around ptr stores Running a lot of VK CTS in parallel against nouveau, once every few hours you might see something like this crash. BUG: kernel NULL pointer dereference, address: 0000000000000008 PGD 8000000114e6e067 P4D 8000000114e6e067 PUD 109046067 PMD 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 7 PID: 53891 Comm: deqp-vk Not tainted 6.8.0-rc6+ #27 Hardware name: Gigabyte Technology Co., Ltd. Z390 I AORUS PRO WIFI/Z390 I AORUS PRO WIFI-CF, BIOS F8 11/05/2021 RIP: 0010:gp100_vmm_pgt_mem+0xe3/0x180 [nouveau] Code: c7 48 01 c8 49 89 45 58 85 d2 0f 84 95 00 00 00 41 0f b7 46 12 49 8b 7e 08 89 da 42 8d 2c f8 48 8b 47 08 41 83 c7 01 48 89 ee <48> 8b 40 08 ff d0 0f 1f 00 49 8b 7e 08 48 89 d9 48 8d 75 04 48 c1 RSP: 0000:ffffac20c5857838 EFLAGS: 00010202 RAX: 0000000000000000 RBX: 00000000004d8001 RCX: 0000000000000001 RDX: 00000000004d8001 RSI: 00000000000006d8 RDI: ffffa07afe332180 RBP: 00000000000006d8 R08: ffffac20c5857ad0 R09: 0000000000ffff10 R10: 0000000000000001 R11: ffffa07af27e2de0 R12: 000000000000001c R13: ffffac20c5857ad0 R14: ffffa07a96fe9040 R15: 000000000000001c FS: 00007fe395eed7c0(0000) GS:ffffa07e2c980000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 000000011febe001 CR4: 00000000003706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ... ? gp100_vmm_pgt_mem+0xe3/0x180 [nouveau] ? gp100_vmm_pgt_mem+0x37/0x180 [nouveau] nvkm_vmm_iter+0x351/0xa20 [nouveau] ? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nouveau] ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau] ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau] ? __lock_acquire+0x3ed/0x2170 ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau] nvkm_vmm_ptes_get_map+0xc2/0x100 [nouveau] ? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nouveau] ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau] nvkm_vmm_map_locked+0x224/0x3a0 [nouveau] Adding any sort of useful debug usually makes it go away, so I hand wrote the function in a line, and debugged the asm. Every so often pt->memory->ptrs is NULL. This ptrs ptr is set in the nv50_instobj_acquire called from nvkm_kmap. If Thread A and Thread B both get to nv50_instobj_acquire around the same time, and Thread A hits the refcount_set line, and in lockstep thread B succeeds at refcount_inc_not_zero, there is a chance the ptrs value won't have been stored since refcount_set is unordered. Force a memory barrier here, I picked smp_mb, since we want it on all CPUs and it's write followed by a read. v2: use paired smp_rmb/smp_wmb.
AI-Powered Analysis
Technical Analysis
CVE-2024-26984 is a medium-severity vulnerability identified in the Linux kernel's nouveau driver, which is an open-source driver for NVIDIA GPUs. The issue stems from a race condition in the instmem (instance memory) management code, specifically around pointer stores related to memory management in the virtual memory manager (VMM) for the GPU. The vulnerability manifests as a NULL pointer dereference, leading to kernel crashes (kernel oops) during concurrent execution of Vulkan CTS (Conformance Test Suite) workloads. The root cause is a lack of proper memory barriers around reference count updates and pointer assignments, which can cause one thread to observe a NULL pointer due to out-of-order memory operations. The fix involves inserting appropriate memory barriers (smp_mb) to enforce ordering of writes and reads across CPUs, preventing the race condition. This vulnerability is classified under CWE-362 (Race Condition) and affects Linux kernel versions containing the nouveau driver code prior to the fix. The CVSS v3.1 score is 5.5 (medium), with an attack vector of local (AV:L), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), no confidentiality or integrity impact (C:N/I:N), but causing high availability impact (A:H) due to kernel crashes. No known exploits are reported in the wild yet. The vulnerability primarily affects systems running Linux kernels with the nouveau driver enabled and using NVIDIA GPUs, especially under heavy Vulkan workloads or parallel CTS testing scenarios.
Potential Impact
For European organizations, the impact of CVE-2024-26984 can be significant in environments relying on Linux systems with NVIDIA GPUs using the nouveau driver, particularly in development, testing, or high-performance computing contexts that utilize Vulkan APIs. The vulnerability causes kernel crashes due to NULL pointer dereferences, leading to system instability and potential denial of service (DoS). This can disrupt critical workloads, especially in sectors like research institutions, media production, and technology companies that leverage GPU acceleration on Linux. Although the vulnerability does not allow privilege escalation or data compromise, the availability impact can cause operational downtime and productivity loss. Organizations running containerized or virtualized environments with GPU passthrough may also be affected if the underlying host kernel is vulnerable. Given the local attack vector and requirement for low privileges, attackers with limited access could trigger the crash, potentially as part of a multi-stage attack or to disrupt services. The lack of user interaction requirement means automated or scripted attacks are feasible once local access is obtained. However, the impact is limited to systems using the nouveau driver rather than proprietary NVIDIA drivers, which may reduce the affected population. Still, many European enterprises and research centers use open-source Linux stacks, making this vulnerability relevant.
Mitigation Recommendations
1. Apply Kernel Updates: Immediately update Linux kernels to versions where the nouveau driver includes the fix for CVE-2024-26984. Monitor distributions' security advisories for patches. 2. Use Proprietary NVIDIA Drivers: Where feasible, switch from the nouveau driver to the proprietary NVIDIA drivers, which are not affected by this specific race condition. 3. Limit Local Access: Restrict local user access to trusted personnel only, as exploitation requires local privileges. Harden user permissions and employ strict access controls on systems with vulnerable kernels. 4. Monitor System Stability: Implement monitoring to detect kernel oops or crashes related to GPU workloads, enabling rapid response and mitigation. 5. Control Workload Parallelism: Reduce or control the concurrency of Vulkan CTS or similar GPU-intensive workloads to minimize triggering the race condition until patches are applied. 6. Use Kernel Lockdown Features: Enable kernel lockdown or secure boot features where supported to reduce the risk of local privilege escalation attempts that could leverage this vulnerability. 7. Test Updates in Staging: Before deploying kernel updates in production, test in staging environments to ensure compatibility and stability, especially for GPU-accelerated applications.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.204Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9829c4522896dcbe2fe9
Added to database: 5/21/2025, 9:08:57 AM
Last enriched: 6/29/2025, 1:56:07 PM
Last updated: 8/14/2025, 6:34:17 PM
Views: 12
Related Threats
CVE-2025-52451: CWE-20 Improper Input Validation in Salesforce Tableau Server
UnknownCVE-2025-52450: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Salesforce Tableau Server
UnknownCVE-2025-26498: CWE-434 Unrestricted Upload of File with Dangerous Type in Salesforce Tableau Server
UnknownCVE-2025-26497: CWE-434 Unrestricted Upload of File with Dangerous Type in Salesforce Tableau Server
UnknownCVE-2025-26496: CWE-843 Access of Resource Using Incompatible Type ('Type Confusion') in Salesforce Tableau Server, Tableau Desktop
UnknownActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.