CVE-2024-35814: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: swiotlb: Fix double-allocation of slots due to broken alignment handling Commit bbb73a103fbb ("swiotlb: fix a braino in the alignment check fix"), which was a fix for commit 0eee5ae10256 ("swiotlb: fix slot alignment checks"), causes a functional regression with vsock in a virtual machine using bouncing via a restricted DMA SWIOTLB pool. When virtio allocates the virtqueues for the vsock device using dma_alloc_coherent(), the SWIOTLB search can return page-unaligned allocations if 'area->index' was left unaligned by a previous allocation from the buffer: # Final address in brackets is the SWIOTLB address returned to the caller | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1645-1649/7168 (0x98326800) | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1649-1653/7168 (0x98328800) | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1653-1657/7168 (0x9832a800) This ends badly (typically buffer corruption and/or a hang) because swiotlb_alloc() is expecting a page-aligned allocation and so blindly returns a pointer to the 'struct page' corresponding to the allocation, therefore double-allocating the first half (2KiB slot) of the 4KiB page. Fix the problem by treating the allocation alignment separately to any additional alignment requirements from the device, using the maximum of the two as the stride to search the buffer slots and taking care to ensure a minimum of page-alignment for buffers larger than a page. This also resolves swiotlb allocation failures occuring due to the inclusion of ~PAGE_MASK in 'iotlb_align_mask' for large allocations and resulting in alignment requirements exceeding swiotlb_max_mapping_size().
AI Analysis
Technical Summary
CVE-2024-35814 is a high-severity vulnerability in the Linux kernel's SWIOTLB (Software Input/Output Translation Lookaside Buffer) subsystem, specifically related to the handling of slot allocations with respect to alignment requirements. The issue arises from a regression introduced by a prior fix intended to correct alignment checks. In virtualized environments using virtio devices, particularly the vsock device, the swiotlb_alloc() function can return page-unaligned allocations due to improper handling of the 'area->index' alignment state. This causes double allocation of the first half of a 4KiB page (2KiB slot), leading to buffer corruption or system hangs. The root cause is that swiotlb_alloc() expects page-aligned allocations but the search for slots does not enforce this strictly, resulting in overlapping allocations. The fix involves treating the allocation alignment separately from device alignment requirements, using the maximum alignment as the stride for slot searches, and ensuring minimum page alignment for buffers larger than a page. This also addresses allocation failures caused by overly strict alignment masks for large buffers. The vulnerability is categorized under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-1055 (Improper Handling of Exceptional Conditions). It affects Linux kernel versions containing the faulty commit 0eee5ae10256 and was publicly disclosed on May 17, 2024. The CVSS v3.1 base score is 7.1 (High), with an attack vector of local, low complexity, requiring low privileges and no user interaction, impacting integrity and availability but not confidentiality. No known exploits are reported in the wild yet.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily in environments running Linux kernels with the affected commit, especially those utilizing virtualization technologies with virtio devices and vsock communication channels. The double allocation and buffer corruption can lead to system instability, crashes, or denial of service, impacting availability of critical services. In cloud and data center infrastructures common in Europe, where Linux virtualization is prevalent, this could disrupt multi-tenant environments or internal virtualized workloads. Although the attack requires local access with low privileges, compromised or untrusted users/processes inside a VM or host could exploit this to cause denial of service or potentially escalate privileges by corrupting kernel memory structures. This risk is heightened in sectors with high reliance on Linux-based virtualization such as finance, telecommunications, and government services. The lack of confidentiality impact reduces risk of data leakage, but integrity and availability impacts could disrupt operations and lead to financial or reputational damage. The absence of known exploits currently provides a window for proactive patching before active exploitation.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the fix for CVE-2024-35814 as soon as patches are available from their Linux distribution vendors. Until patches are applied, organizations should: 1) Restrict local access to systems running vulnerable kernels, limiting untrusted user or process execution especially in virtualized environments. 2) Monitor system logs and kernel messages for signs of swiotlb allocation errors or virtio device anomalies that could indicate exploitation attempts or instability. 3) Employ kernel hardening techniques such as SELinux or AppArmor to constrain device driver operations and reduce attack surface. 4) For cloud providers and data centers, isolate workloads and enforce strict tenant separation to prevent lateral movement or exploitation from compromised VMs. 5) Engage with Linux vendor security advisories and subscribe to vulnerability notifications to ensure timely patch deployment. 6) Test kernel updates in staging environments to validate stability and compatibility with virtualization stacks before production rollout. These steps go beyond generic advice by focusing on virtualization-specific controls and operational monitoring tailored to this vulnerability's nature.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Ireland, Italy, Spain, Poland
CVE-2024-35814: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: swiotlb: Fix double-allocation of slots due to broken alignment handling Commit bbb73a103fbb ("swiotlb: fix a braino in the alignment check fix"), which was a fix for commit 0eee5ae10256 ("swiotlb: fix slot alignment checks"), causes a functional regression with vsock in a virtual machine using bouncing via a restricted DMA SWIOTLB pool. When virtio allocates the virtqueues for the vsock device using dma_alloc_coherent(), the SWIOTLB search can return page-unaligned allocations if 'area->index' was left unaligned by a previous allocation from the buffer: # Final address in brackets is the SWIOTLB address returned to the caller | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1645-1649/7168 (0x98326800) | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1649-1653/7168 (0x98328800) | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1653-1657/7168 (0x9832a800) This ends badly (typically buffer corruption and/or a hang) because swiotlb_alloc() is expecting a page-aligned allocation and so blindly returns a pointer to the 'struct page' corresponding to the allocation, therefore double-allocating the first half (2KiB slot) of the 4KiB page. Fix the problem by treating the allocation alignment separately to any additional alignment requirements from the device, using the maximum of the two as the stride to search the buffer slots and taking care to ensure a minimum of page-alignment for buffers larger than a page. This also resolves swiotlb allocation failures occuring due to the inclusion of ~PAGE_MASK in 'iotlb_align_mask' for large allocations and resulting in alignment requirements exceeding swiotlb_max_mapping_size().
AI-Powered Analysis
Technical Analysis
CVE-2024-35814 is a high-severity vulnerability in the Linux kernel's SWIOTLB (Software Input/Output Translation Lookaside Buffer) subsystem, specifically related to the handling of slot allocations with respect to alignment requirements. The issue arises from a regression introduced by a prior fix intended to correct alignment checks. In virtualized environments using virtio devices, particularly the vsock device, the swiotlb_alloc() function can return page-unaligned allocations due to improper handling of the 'area->index' alignment state. This causes double allocation of the first half of a 4KiB page (2KiB slot), leading to buffer corruption or system hangs. The root cause is that swiotlb_alloc() expects page-aligned allocations but the search for slots does not enforce this strictly, resulting in overlapping allocations. The fix involves treating the allocation alignment separately from device alignment requirements, using the maximum alignment as the stride for slot searches, and ensuring minimum page alignment for buffers larger than a page. This also addresses allocation failures caused by overly strict alignment masks for large buffers. The vulnerability is categorized under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-1055 (Improper Handling of Exceptional Conditions). It affects Linux kernel versions containing the faulty commit 0eee5ae10256 and was publicly disclosed on May 17, 2024. The CVSS v3.1 base score is 7.1 (High), with an attack vector of local, low complexity, requiring low privileges and no user interaction, impacting integrity and availability but not confidentiality. No known exploits are reported in the wild yet.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily in environments running Linux kernels with the affected commit, especially those utilizing virtualization technologies with virtio devices and vsock communication channels. The double allocation and buffer corruption can lead to system instability, crashes, or denial of service, impacting availability of critical services. In cloud and data center infrastructures common in Europe, where Linux virtualization is prevalent, this could disrupt multi-tenant environments or internal virtualized workloads. Although the attack requires local access with low privileges, compromised or untrusted users/processes inside a VM or host could exploit this to cause denial of service or potentially escalate privileges by corrupting kernel memory structures. This risk is heightened in sectors with high reliance on Linux-based virtualization such as finance, telecommunications, and government services. The lack of confidentiality impact reduces risk of data leakage, but integrity and availability impacts could disrupt operations and lead to financial or reputational damage. The absence of known exploits currently provides a window for proactive patching before active exploitation.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the fix for CVE-2024-35814 as soon as patches are available from their Linux distribution vendors. Until patches are applied, organizations should: 1) Restrict local access to systems running vulnerable kernels, limiting untrusted user or process execution especially in virtualized environments. 2) Monitor system logs and kernel messages for signs of swiotlb allocation errors or virtio device anomalies that could indicate exploitation attempts or instability. 3) Employ kernel hardening techniques such as SELinux or AppArmor to constrain device driver operations and reduce attack surface. 4) For cloud providers and data centers, isolate workloads and enforce strict tenant separation to prevent lateral movement or exploitation from compromised VMs. 5) Engage with Linux vendor security advisories and subscribe to vulnerability notifications to ensure timely patch deployment. 6) Test kernel updates in staging environments to validate stability and compatibility with virtualization stacks before production rollout. These steps go beyond generic advice by focusing on virtualization-specific controls and operational monitoring tailored to this vulnerability's nature.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-17T12:19:12.343Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d982ac4522896dcbe353d
Added to database: 5/21/2025, 9:08:58 AM
Last enriched: 7/3/2025, 1:26:59 AM
Last updated: 8/18/2025, 10:46:09 AM
Views: 17
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.