CVE-2024-26989: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: arm64: hibernate: Fix level3 translation fault in swsusp_save() On arm64 machines, swsusp_save() faults if it attempts to access MEMBLOCK_NOMAP memory ranges. This can be reproduced in QEMU using UEFI when booting with rodata=off debug_pagealloc=off and CONFIG_KFENCE=n: Unable to handle kernel paging request at virtual address ffffff8000000000 Mem abort info: ESR = 0x0000000096000007 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x07: level 3 translation fault Data abort info: ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 swapper pgtable: 4k pages, 39-bit VAs, pgdp=00000000eeb0b000 [ffffff8000000000] pgd=180000217fff9803, p4d=180000217fff9803, pud=180000217fff9803, pmd=180000217fff8803, pte=0000000000000000 Internal error: Oops: 0000000096000007 [#1] SMP Internal error: Oops: 0000000096000007 [#1] SMP Modules linked in: xt_multiport ipt_REJECT nf_reject_ipv4 xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c iptable_filter bpfilter rfkill at803x snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg dwmac_generic stmmac_platform snd_hda_codec stmmac joydev pcs_xpcs snd_hda_core phylink ppdev lp parport ramoops reed_solomon ip_tables x_tables nls_iso8859_1 vfat multipath linear amdgpu amdxcp drm_exec gpu_sched drm_buddy hid_generic usbhid hid radeon video drm_suballoc_helper drm_ttm_helper ttm i2c_algo_bit drm_display_helper cec drm_kms_helper drm CPU: 0 PID: 3663 Comm: systemd-sleep Not tainted 6.6.2+ #76 Source Version: 4e22ed63a0a48e7a7cff9b98b7806d8d4add7dc0 Hardware name: Greatwall GW-XXXXXX-XXX/GW-XXXXXX-XXX, BIOS KunLun BIOS V4.0 01/19/2021 pstate: 600003c5 (nZCv DAIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : swsusp_save+0x280/0x538 lr : swsusp_save+0x280/0x538 sp : ffffffa034a3fa40 x29: ffffffa034a3fa40 x28: ffffff8000001000 x27: 0000000000000000 x26: ffffff8001400000 x25: ffffffc08113e248 x24: 0000000000000000 x23: 0000000000080000 x22: ffffffc08113e280 x21: 00000000000c69f2 x20: ffffff8000000000 x19: ffffffc081ae2500 x18: 0000000000000000 x17: 6666662074736420 x16: 3030303030303030 x15: 3038666666666666 x14: 0000000000000b69 x13: ffffff9f89088530 x12: 00000000ffffffea x11: 00000000ffff7fff x10: 00000000ffff7fff x9 : ffffffc08193f0d0 x8 : 00000000000bffe8 x7 : c0000000ffff7fff x6 : 0000000000000001 x5 : ffffffa0fff09dc8 x4 : 0000000000000000 x3 : 0000000000000027 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 000000000000004e Call trace: swsusp_save+0x280/0x538 swsusp_arch_suspend+0x148/0x190 hibernation_snapshot+0x240/0x39c hibernate+0xc4/0x378 state_store+0xf0/0x10c kobj_attr_store+0x14/0x24 The reason is swsusp_save() -> copy_data_pages() -> page_is_saveable() -> kernel_page_present() assuming that a page is always present when can_set_direct_map() is false (all of rodata_full, debug_pagealloc_enabled() and arm64_kfence_can_set_direct_map() false), irrespective of the MEMBLOCK_NOMAP ranges. Such MEMBLOCK_NOMAP regions should not be saved during hibernation. This problem was introduced by changes to the pfn_valid() logic in commit a7d9f306ba70 ("arm64: drop pfn_valid_within() and simplify pfn_valid()"). Similar to other architectures, drop the !can_set_direct_map() check in kernel_page_present() so that page_is_savable() skips such pages. [catalin.marinas@arm.com: rework commit message]
AI Analysis
Technical Summary
CVE-2024-26989 is a vulnerability identified in the Linux kernel specifically affecting the arm64 architecture's hibernation functionality. The flaw resides in the swsusp_save() function, which is responsible for saving system state during hibernation. On arm64 machines, swsusp_save() can trigger a level 3 translation fault when it attempts to access MEMBLOCK_NOMAP memory regions—areas of memory that should not be mapped or saved during hibernation. This fault manifests as a kernel paging request error, causing an internal kernel error (Oops) and potentially leading to system crashes or instability during suspend or hibernation operations. The root cause is a logic error introduced by a prior kernel commit (a7d9f306ba70) that altered the pfn_valid() function, causing kernel_page_present() to incorrectly assume certain pages are always present even when they fall within MEMBLOCK_NOMAP ranges. This results in swsusp_save() attempting to save memory pages that should be excluded, leading to faults. The issue can be reproduced in QEMU environments with specific boot parameters disabling read-only data and debug page allocation, indicating it affects certain kernel configurations. The fix involves adjusting kernel_page_present() to properly exclude MEMBLOCK_NOMAP pages during hibernation save operations, aligning arm64 behavior with other architectures. While this vulnerability does not have a CVSS score assigned yet, it is a kernel-level fault that can cause system crashes during suspend/resume cycles on affected arm64 Linux systems. There are no known exploits in the wild at this time.
Potential Impact
For European organizations utilizing arm64-based Linux systems—such as servers, embedded devices, or specialized hardware—this vulnerability poses a risk of system instability or crashes during hibernation or suspend operations. This can lead to unexpected downtime, data loss, or disruption of critical services relying on these systems. Organizations employing Linux in ARM64 environments for cloud infrastructure, edge computing, or IoT deployments may experience increased operational risk. Although the vulnerability does not directly enable privilege escalation or remote code execution, the denial-of-service impact through kernel panics can affect availability and reliability of services. In sectors such as telecommunications, manufacturing, or public services where ARM64 Linux devices are deployed, this could translate into operational interruptions. The absence of known exploits reduces immediate threat but does not eliminate risk, especially as attackers may develop exploits targeting this kernel fault. Additionally, debugging and recovery from such kernel faults can be complex, increasing maintenance overhead.
Mitigation Recommendations
1. Apply the latest Linux kernel patches that address CVE-2024-26989 as soon as they become available from trusted Linux distributions or upstream sources. 2. For systems where immediate patching is not feasible, consider disabling hibernation or suspend-to-disk functionality on affected arm64 devices to avoid triggering the fault. 3. Review kernel boot parameters and configurations to avoid combinations (e.g., rodata=off, debug_pagealloc=off, CONFIG_KFENCE=n) that exacerbate the issue during testing or deployment. 4. Implement robust monitoring of system logs and kernel oops reports to detect early signs of this fault in production environments. 5. For critical systems, maintain tested backups and recovery procedures to minimize downtime in case of crashes. 6. Engage with hardware and Linux distribution vendors to confirm patch availability and compatibility with existing systems. 7. Consider isolating or segmenting arm64 Linux systems in network architecture to limit impact scope in case of instability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2024-26989: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: arm64: hibernate: Fix level3 translation fault in swsusp_save() On arm64 machines, swsusp_save() faults if it attempts to access MEMBLOCK_NOMAP memory ranges. This can be reproduced in QEMU using UEFI when booting with rodata=off debug_pagealloc=off and CONFIG_KFENCE=n: Unable to handle kernel paging request at virtual address ffffff8000000000 Mem abort info: ESR = 0x0000000096000007 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x07: level 3 translation fault Data abort info: ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 swapper pgtable: 4k pages, 39-bit VAs, pgdp=00000000eeb0b000 [ffffff8000000000] pgd=180000217fff9803, p4d=180000217fff9803, pud=180000217fff9803, pmd=180000217fff8803, pte=0000000000000000 Internal error: Oops: 0000000096000007 [#1] SMP Internal error: Oops: 0000000096000007 [#1] SMP Modules linked in: xt_multiport ipt_REJECT nf_reject_ipv4 xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c iptable_filter bpfilter rfkill at803x snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg dwmac_generic stmmac_platform snd_hda_codec stmmac joydev pcs_xpcs snd_hda_core phylink ppdev lp parport ramoops reed_solomon ip_tables x_tables nls_iso8859_1 vfat multipath linear amdgpu amdxcp drm_exec gpu_sched drm_buddy hid_generic usbhid hid radeon video drm_suballoc_helper drm_ttm_helper ttm i2c_algo_bit drm_display_helper cec drm_kms_helper drm CPU: 0 PID: 3663 Comm: systemd-sleep Not tainted 6.6.2+ #76 Source Version: 4e22ed63a0a48e7a7cff9b98b7806d8d4add7dc0 Hardware name: Greatwall GW-XXXXXX-XXX/GW-XXXXXX-XXX, BIOS KunLun BIOS V4.0 01/19/2021 pstate: 600003c5 (nZCv DAIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : swsusp_save+0x280/0x538 lr : swsusp_save+0x280/0x538 sp : ffffffa034a3fa40 x29: ffffffa034a3fa40 x28: ffffff8000001000 x27: 0000000000000000 x26: ffffff8001400000 x25: ffffffc08113e248 x24: 0000000000000000 x23: 0000000000080000 x22: ffffffc08113e280 x21: 00000000000c69f2 x20: ffffff8000000000 x19: ffffffc081ae2500 x18: 0000000000000000 x17: 6666662074736420 x16: 3030303030303030 x15: 3038666666666666 x14: 0000000000000b69 x13: ffffff9f89088530 x12: 00000000ffffffea x11: 00000000ffff7fff x10: 00000000ffff7fff x9 : ffffffc08193f0d0 x8 : 00000000000bffe8 x7 : c0000000ffff7fff x6 : 0000000000000001 x5 : ffffffa0fff09dc8 x4 : 0000000000000000 x3 : 0000000000000027 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 000000000000004e Call trace: swsusp_save+0x280/0x538 swsusp_arch_suspend+0x148/0x190 hibernation_snapshot+0x240/0x39c hibernate+0xc4/0x378 state_store+0xf0/0x10c kobj_attr_store+0x14/0x24 The reason is swsusp_save() -> copy_data_pages() -> page_is_saveable() -> kernel_page_present() assuming that a page is always present when can_set_direct_map() is false (all of rodata_full, debug_pagealloc_enabled() and arm64_kfence_can_set_direct_map() false), irrespective of the MEMBLOCK_NOMAP ranges. Such MEMBLOCK_NOMAP regions should not be saved during hibernation. This problem was introduced by changes to the pfn_valid() logic in commit a7d9f306ba70 ("arm64: drop pfn_valid_within() and simplify pfn_valid()"). Similar to other architectures, drop the !can_set_direct_map() check in kernel_page_present() so that page_is_savable() skips such pages. [catalin.marinas@arm.com: rework commit message]
AI-Powered Analysis
Technical Analysis
CVE-2024-26989 is a vulnerability identified in the Linux kernel specifically affecting the arm64 architecture's hibernation functionality. The flaw resides in the swsusp_save() function, which is responsible for saving system state during hibernation. On arm64 machines, swsusp_save() can trigger a level 3 translation fault when it attempts to access MEMBLOCK_NOMAP memory regions—areas of memory that should not be mapped or saved during hibernation. This fault manifests as a kernel paging request error, causing an internal kernel error (Oops) and potentially leading to system crashes or instability during suspend or hibernation operations. The root cause is a logic error introduced by a prior kernel commit (a7d9f306ba70) that altered the pfn_valid() function, causing kernel_page_present() to incorrectly assume certain pages are always present even when they fall within MEMBLOCK_NOMAP ranges. This results in swsusp_save() attempting to save memory pages that should be excluded, leading to faults. The issue can be reproduced in QEMU environments with specific boot parameters disabling read-only data and debug page allocation, indicating it affects certain kernel configurations. The fix involves adjusting kernel_page_present() to properly exclude MEMBLOCK_NOMAP pages during hibernation save operations, aligning arm64 behavior with other architectures. While this vulnerability does not have a CVSS score assigned yet, it is a kernel-level fault that can cause system crashes during suspend/resume cycles on affected arm64 Linux systems. There are no known exploits in the wild at this time.
Potential Impact
For European organizations utilizing arm64-based Linux systems—such as servers, embedded devices, or specialized hardware—this vulnerability poses a risk of system instability or crashes during hibernation or suspend operations. This can lead to unexpected downtime, data loss, or disruption of critical services relying on these systems. Organizations employing Linux in ARM64 environments for cloud infrastructure, edge computing, or IoT deployments may experience increased operational risk. Although the vulnerability does not directly enable privilege escalation or remote code execution, the denial-of-service impact through kernel panics can affect availability and reliability of services. In sectors such as telecommunications, manufacturing, or public services where ARM64 Linux devices are deployed, this could translate into operational interruptions. The absence of known exploits reduces immediate threat but does not eliminate risk, especially as attackers may develop exploits targeting this kernel fault. Additionally, debugging and recovery from such kernel faults can be complex, increasing maintenance overhead.
Mitigation Recommendations
1. Apply the latest Linux kernel patches that address CVE-2024-26989 as soon as they become available from trusted Linux distributions or upstream sources. 2. For systems where immediate patching is not feasible, consider disabling hibernation or suspend-to-disk functionality on affected arm64 devices to avoid triggering the fault. 3. Review kernel boot parameters and configurations to avoid combinations (e.g., rodata=off, debug_pagealloc=off, CONFIG_KFENCE=n) that exacerbate the issue during testing or deployment. 4. Implement robust monitoring of system logs and kernel oops reports to detect early signs of this fault in production environments. 5. For critical systems, maintain tested backups and recovery procedures to minimize downtime in case of crashes. 6. Engage with hardware and Linux distribution vendors to confirm patch availability and compatibility with existing systems. 7. Consider isolating or segmenting arm64 Linux systems in network architecture to limit impact scope in case of instability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.205Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9829c4522896dcbe3017
Added to database: 5/21/2025, 9:08:57 AM
Last enriched: 6/29/2025, 1:57:24 PM
Last updated: 8/1/2025, 6:13:11 AM
Views: 15
Related Threats
CVE-2025-9097: Improper Export of Android Application Components in Euro Information CIC banque et compte en ligne App
MediumCVE-2025-9096: Cross Site Scripting in ExpressGateway express-gateway
MediumCVE-2025-9095: Cross Site Scripting in ExpressGateway express-gateway
MediumCVE-2025-7342: CWE-798 Use of Hard-coded Credentials in Kubernetes Image Builder
HighCVE-2025-9094: Improper Neutralization of Special Elements Used in a Template Engine in ThingsBoard
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.