CVE-2024-35801: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Keep xfd_state in sync with MSR_IA32_XFD Commit 672365477ae8 ("x86/fpu: Update XFD state where required") and commit 8bf26758ca96 ("x86/fpu: Add XFD state to fpstate") introduced a per CPU variable xfd_state to keep the MSR_IA32_XFD value cached, in order to avoid unnecessary writes to the MSR. On CPU hotplug MSR_IA32_XFD is reset to the init_fpstate.xfd, which wipes out any stale state. But the per CPU cached xfd value is not reset, which brings them out of sync. As a consequence a subsequent xfd_update_state() might fail to update the MSR which in turn can result in XRSTOR raising a #NM in kernel space, which crashes the kernel. To fix this, introduce xfd_set_state() to write xfd_state together with MSR_IA32_XFD, and use it in all places that set MSR_IA32_XFD.
AI Analysis
Technical Summary
CVE-2024-35801 is a high-severity vulnerability in the Linux kernel related to the handling of the x86 Floating Point Unit (FPU) state, specifically the management of the MSR_IA32_XFD register and its cached counterpart, xfd_state. The vulnerability stems from a synchronization issue introduced by recent commits (672365477ae8 and 8bf26758ca96) that added a per-CPU variable xfd_state to cache the MSR_IA32_XFD value to reduce unnecessary writes. During CPU hotplug operations, the MSR_IA32_XFD register is reset to a known initial state (init_fpstate.xfd), but the cached xfd_state variable is not reset accordingly. This desynchronization can cause the xfd_update_state() function to fail to update the MSR correctly. As a result, the XRSTOR instruction, which restores the FPU state, may trigger a #NM (Device Not Available) exception within kernel space, leading to a kernel crash. The fix involves introducing a new function, xfd_set_state(), which updates both the MSR_IA32_XFD register and the cached xfd_state variable simultaneously, ensuring consistency across all code paths that modify MSR_IA32_XFD. This vulnerability is classified under CWE-416 (Use After Free), indicating improper handling of state leading to invalid memory or state usage. The CVSS v3.1 score is 7.8 (high), reflecting the vulnerability's potential to impact confidentiality, integrity, and availability with limited privileges required and no user interaction needed. Exploitation requires local access with low privileges but can cause a denial of service (kernel crash) and potentially escalate to higher impact scenarios depending on the environment. No known exploits are currently reported in the wild.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily in environments running Linux kernels with the affected commits, especially on x86 architectures that support the MSR_IA32_XFD register and CPU hotplug functionality. The impact includes potential denial of service through kernel crashes triggered by the XRSTOR instruction failing due to state desynchronization. This can disrupt critical services, especially in data centers, cloud infrastructure, and enterprise servers that rely on Linux for virtualization, containerization, or high-availability workloads. Additionally, the kernel crash could be leveraged as a stepping stone for privilege escalation or to destabilize systems in multi-tenant environments. Confidentiality and integrity impacts are rated high due to the possibility of kernel-level faults leading to unpredictable behavior or exploitation chains. European organizations with large-scale Linux deployments, including financial institutions, telecommunications providers, and government agencies, could face operational disruptions and increased incident response costs if this vulnerability is exploited. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits targeting this flaw.
Mitigation Recommendations
European organizations should prioritize patching Linux kernels to versions that include the fix for CVE-2024-35801. Specifically, kernel maintainers and system administrators must ensure that the xfd_set_state() function or equivalent patches are applied to synchronize the cached xfd_state with the MSR_IA32_XFD register during CPU hotplug and other relevant operations. Beyond patching, organizations should audit their systems for CPU hotplug usage and consider temporarily disabling CPU hotplug functionality if patching is delayed and the environment is sensitive to kernel crashes. Monitoring kernel logs for #NM exceptions or unexpected XRSTOR faults can provide early detection of attempted exploitation or instability. For environments using virtualization or containers, ensure hypervisors and container runtimes are updated and configured to handle kernel crashes gracefully to minimize service disruption. Implementing robust kernel crash recovery mechanisms and maintaining up-to-date backups will reduce downtime impact. Finally, restrict local access to trusted users and enforce strict privilege separation to limit the ability of attackers to trigger this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2024-35801: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Keep xfd_state in sync with MSR_IA32_XFD Commit 672365477ae8 ("x86/fpu: Update XFD state where required") and commit 8bf26758ca96 ("x86/fpu: Add XFD state to fpstate") introduced a per CPU variable xfd_state to keep the MSR_IA32_XFD value cached, in order to avoid unnecessary writes to the MSR. On CPU hotplug MSR_IA32_XFD is reset to the init_fpstate.xfd, which wipes out any stale state. But the per CPU cached xfd value is not reset, which brings them out of sync. As a consequence a subsequent xfd_update_state() might fail to update the MSR which in turn can result in XRSTOR raising a #NM in kernel space, which crashes the kernel. To fix this, introduce xfd_set_state() to write xfd_state together with MSR_IA32_XFD, and use it in all places that set MSR_IA32_XFD.
AI-Powered Analysis
Technical Analysis
CVE-2024-35801 is a high-severity vulnerability in the Linux kernel related to the handling of the x86 Floating Point Unit (FPU) state, specifically the management of the MSR_IA32_XFD register and its cached counterpart, xfd_state. The vulnerability stems from a synchronization issue introduced by recent commits (672365477ae8 and 8bf26758ca96) that added a per-CPU variable xfd_state to cache the MSR_IA32_XFD value to reduce unnecessary writes. During CPU hotplug operations, the MSR_IA32_XFD register is reset to a known initial state (init_fpstate.xfd), but the cached xfd_state variable is not reset accordingly. This desynchronization can cause the xfd_update_state() function to fail to update the MSR correctly. As a result, the XRSTOR instruction, which restores the FPU state, may trigger a #NM (Device Not Available) exception within kernel space, leading to a kernel crash. The fix involves introducing a new function, xfd_set_state(), which updates both the MSR_IA32_XFD register and the cached xfd_state variable simultaneously, ensuring consistency across all code paths that modify MSR_IA32_XFD. This vulnerability is classified under CWE-416 (Use After Free), indicating improper handling of state leading to invalid memory or state usage. The CVSS v3.1 score is 7.8 (high), reflecting the vulnerability's potential to impact confidentiality, integrity, and availability with limited privileges required and no user interaction needed. Exploitation requires local access with low privileges but can cause a denial of service (kernel crash) and potentially escalate to higher impact scenarios depending on the environment. No known exploits are currently reported in the wild.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily in environments running Linux kernels with the affected commits, especially on x86 architectures that support the MSR_IA32_XFD register and CPU hotplug functionality. The impact includes potential denial of service through kernel crashes triggered by the XRSTOR instruction failing due to state desynchronization. This can disrupt critical services, especially in data centers, cloud infrastructure, and enterprise servers that rely on Linux for virtualization, containerization, or high-availability workloads. Additionally, the kernel crash could be leveraged as a stepping stone for privilege escalation or to destabilize systems in multi-tenant environments. Confidentiality and integrity impacts are rated high due to the possibility of kernel-level faults leading to unpredictable behavior or exploitation chains. European organizations with large-scale Linux deployments, including financial institutions, telecommunications providers, and government agencies, could face operational disruptions and increased incident response costs if this vulnerability is exploited. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits targeting this flaw.
Mitigation Recommendations
European organizations should prioritize patching Linux kernels to versions that include the fix for CVE-2024-35801. Specifically, kernel maintainers and system administrators must ensure that the xfd_set_state() function or equivalent patches are applied to synchronize the cached xfd_state with the MSR_IA32_XFD register during CPU hotplug and other relevant operations. Beyond patching, organizations should audit their systems for CPU hotplug usage and consider temporarily disabling CPU hotplug functionality if patching is delayed and the environment is sensitive to kernel crashes. Monitoring kernel logs for #NM exceptions or unexpected XRSTOR faults can provide early detection of attempted exploitation or instability. For environments using virtualization or containers, ensure hypervisors and container runtimes are updated and configured to handle kernel crashes gracefully to minimize service disruption. Implementing robust kernel crash recovery mechanisms and maintaining up-to-date backups will reduce downtime impact. Finally, restrict local access to trusted users and enforce strict privilege separation to limit the ability of attackers to trigger this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-17T12:19:12.341Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d982ac4522896dcbe34e8
Added to database: 5/21/2025, 9:08:58 AM
Last enriched: 7/3/2025, 1:26:48 AM
Last updated: 12/2/2025, 7:47:30 AM
Views: 34
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-13696: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in softdiscover Zigaform – Price Calculator & Cost Estimation Form Builder Lite
MediumCVE-2025-11726: CWE-862 Missing Authorization in beaverbuilder Beaver Builder Page Builder – Drag and Drop Website Builder
MediumCVE-2025-13685: CWE-352 Cross-Site Request Forgery (CSRF) in ays-pro Photo Gallery by Ays – Responsive Image Gallery
MediumCVE-2025-13140: CWE-352 Cross-Site Request Forgery (CSRF) in devsoftbaltic SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity
MediumCVE-2025-13007: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in adreastrian WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More)
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.