CVE-2024-35801: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Keep xfd_state in sync with MSR_IA32_XFD Commit 672365477ae8 ("x86/fpu: Update XFD state where required") and commit 8bf26758ca96 ("x86/fpu: Add XFD state to fpstate") introduced a per CPU variable xfd_state to keep the MSR_IA32_XFD value cached, in order to avoid unnecessary writes to the MSR. On CPU hotplug MSR_IA32_XFD is reset to the init_fpstate.xfd, which wipes out any stale state. But the per CPU cached xfd value is not reset, which brings them out of sync. As a consequence a subsequent xfd_update_state() might fail to update the MSR which in turn can result in XRSTOR raising a #NM in kernel space, which crashes the kernel. To fix this, introduce xfd_set_state() to write xfd_state together with MSR_IA32_XFD, and use it in all places that set MSR_IA32_XFD.
AI Analysis
Technical Summary
CVE-2024-35801 is a high-severity vulnerability in the Linux kernel related to the handling of the x86 Floating Point Unit (FPU) state, specifically the management of the MSR_IA32_XFD register and its cached counterpart, xfd_state. The vulnerability stems from a synchronization issue introduced by recent commits (672365477ae8 and 8bf26758ca96) that added a per-CPU variable xfd_state to cache the MSR_IA32_XFD value to reduce unnecessary writes. During CPU hotplug operations, the MSR_IA32_XFD register is reset to a known initial state (init_fpstate.xfd), but the cached xfd_state variable is not reset accordingly. This desynchronization can cause the xfd_update_state() function to fail to update the MSR correctly. As a result, the XRSTOR instruction, which restores the FPU state, may trigger a #NM (Device Not Available) exception within kernel space, leading to a kernel crash. The fix involves introducing a new function, xfd_set_state(), which updates both the MSR_IA32_XFD register and the cached xfd_state variable simultaneously, ensuring consistency across all code paths that modify MSR_IA32_XFD. This vulnerability is classified under CWE-416 (Use After Free), indicating improper handling of state leading to invalid memory or state usage. The CVSS v3.1 score is 7.8 (high), reflecting the vulnerability's potential to impact confidentiality, integrity, and availability with limited privileges required and no user interaction needed. Exploitation requires local access with low privileges but can cause a denial of service (kernel crash) and potentially escalate to higher impact scenarios depending on the environment. No known exploits are currently reported in the wild.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily in environments running Linux kernels with the affected commits, especially on x86 architectures that support the MSR_IA32_XFD register and CPU hotplug functionality. The impact includes potential denial of service through kernel crashes triggered by the XRSTOR instruction failing due to state desynchronization. This can disrupt critical services, especially in data centers, cloud infrastructure, and enterprise servers that rely on Linux for virtualization, containerization, or high-availability workloads. Additionally, the kernel crash could be leveraged as a stepping stone for privilege escalation or to destabilize systems in multi-tenant environments. Confidentiality and integrity impacts are rated high due to the possibility of kernel-level faults leading to unpredictable behavior or exploitation chains. European organizations with large-scale Linux deployments, including financial institutions, telecommunications providers, and government agencies, could face operational disruptions and increased incident response costs if this vulnerability is exploited. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits targeting this flaw.
Mitigation Recommendations
European organizations should prioritize patching Linux kernels to versions that include the fix for CVE-2024-35801. Specifically, kernel maintainers and system administrators must ensure that the xfd_set_state() function or equivalent patches are applied to synchronize the cached xfd_state with the MSR_IA32_XFD register during CPU hotplug and other relevant operations. Beyond patching, organizations should audit their systems for CPU hotplug usage and consider temporarily disabling CPU hotplug functionality if patching is delayed and the environment is sensitive to kernel crashes. Monitoring kernel logs for #NM exceptions or unexpected XRSTOR faults can provide early detection of attempted exploitation or instability. For environments using virtualization or containers, ensure hypervisors and container runtimes are updated and configured to handle kernel crashes gracefully to minimize service disruption. Implementing robust kernel crash recovery mechanisms and maintaining up-to-date backups will reduce downtime impact. Finally, restrict local access to trusted users and enforce strict privilege separation to limit the ability of attackers to trigger this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2024-35801: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Keep xfd_state in sync with MSR_IA32_XFD Commit 672365477ae8 ("x86/fpu: Update XFD state where required") and commit 8bf26758ca96 ("x86/fpu: Add XFD state to fpstate") introduced a per CPU variable xfd_state to keep the MSR_IA32_XFD value cached, in order to avoid unnecessary writes to the MSR. On CPU hotplug MSR_IA32_XFD is reset to the init_fpstate.xfd, which wipes out any stale state. But the per CPU cached xfd value is not reset, which brings them out of sync. As a consequence a subsequent xfd_update_state() might fail to update the MSR which in turn can result in XRSTOR raising a #NM in kernel space, which crashes the kernel. To fix this, introduce xfd_set_state() to write xfd_state together with MSR_IA32_XFD, and use it in all places that set MSR_IA32_XFD.
AI-Powered Analysis
Technical Analysis
CVE-2024-35801 is a high-severity vulnerability in the Linux kernel related to the handling of the x86 Floating Point Unit (FPU) state, specifically the management of the MSR_IA32_XFD register and its cached counterpart, xfd_state. The vulnerability stems from a synchronization issue introduced by recent commits (672365477ae8 and 8bf26758ca96) that added a per-CPU variable xfd_state to cache the MSR_IA32_XFD value to reduce unnecessary writes. During CPU hotplug operations, the MSR_IA32_XFD register is reset to a known initial state (init_fpstate.xfd), but the cached xfd_state variable is not reset accordingly. This desynchronization can cause the xfd_update_state() function to fail to update the MSR correctly. As a result, the XRSTOR instruction, which restores the FPU state, may trigger a #NM (Device Not Available) exception within kernel space, leading to a kernel crash. The fix involves introducing a new function, xfd_set_state(), which updates both the MSR_IA32_XFD register and the cached xfd_state variable simultaneously, ensuring consistency across all code paths that modify MSR_IA32_XFD. This vulnerability is classified under CWE-416 (Use After Free), indicating improper handling of state leading to invalid memory or state usage. The CVSS v3.1 score is 7.8 (high), reflecting the vulnerability's potential to impact confidentiality, integrity, and availability with limited privileges required and no user interaction needed. Exploitation requires local access with low privileges but can cause a denial of service (kernel crash) and potentially escalate to higher impact scenarios depending on the environment. No known exploits are currently reported in the wild.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily in environments running Linux kernels with the affected commits, especially on x86 architectures that support the MSR_IA32_XFD register and CPU hotplug functionality. The impact includes potential denial of service through kernel crashes triggered by the XRSTOR instruction failing due to state desynchronization. This can disrupt critical services, especially in data centers, cloud infrastructure, and enterprise servers that rely on Linux for virtualization, containerization, or high-availability workloads. Additionally, the kernel crash could be leveraged as a stepping stone for privilege escalation or to destabilize systems in multi-tenant environments. Confidentiality and integrity impacts are rated high due to the possibility of kernel-level faults leading to unpredictable behavior or exploitation chains. European organizations with large-scale Linux deployments, including financial institutions, telecommunications providers, and government agencies, could face operational disruptions and increased incident response costs if this vulnerability is exploited. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits targeting this flaw.
Mitigation Recommendations
European organizations should prioritize patching Linux kernels to versions that include the fix for CVE-2024-35801. Specifically, kernel maintainers and system administrators must ensure that the xfd_set_state() function or equivalent patches are applied to synchronize the cached xfd_state with the MSR_IA32_XFD register during CPU hotplug and other relevant operations. Beyond patching, organizations should audit their systems for CPU hotplug usage and consider temporarily disabling CPU hotplug functionality if patching is delayed and the environment is sensitive to kernel crashes. Monitoring kernel logs for #NM exceptions or unexpected XRSTOR faults can provide early detection of attempted exploitation or instability. For environments using virtualization or containers, ensure hypervisors and container runtimes are updated and configured to handle kernel crashes gracefully to minimize service disruption. Implementing robust kernel crash recovery mechanisms and maintaining up-to-date backups will reduce downtime impact. Finally, restrict local access to trusted users and enforce strict privilege separation to limit the ability of attackers to trigger this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-17T12:19:12.341Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d982ac4522896dcbe34e8
Added to database: 5/21/2025, 9:08:58 AM
Last enriched: 7/3/2025, 1:26:48 AM
Last updated: 8/15/2025, 3:16:39 PM
Views: 14
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.