CVE-2024-35927: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: drm: Check output polling initialized before disabling In drm_kms_helper_poll_disable() check if output polling support is initialized before disabling polling. If not flag this as a warning. Additionally in drm_mode_config_helper_suspend() and drm_mode_config_helper_resume() calls, that re the callers of these functions, avoid invoking them if polling is not initialized. For drivers like hyperv-drm, that do not initialize connector polling, if suspend is called without this check, it leads to suspend failure with following stack [ 770.719392] Freezing remaining freezable tasks ... (elapsed 0.001 seconds) done. [ 770.720592] printk: Suspending console(s) (use no_console_suspend to debug) [ 770.948823] ------------[ cut here ]------------ [ 770.948824] WARNING: CPU: 1 PID: 17197 at kernel/workqueue.c:3162 __flush_work.isra.0+0x212/0x230 [ 770.948831] Modules linked in: rfkill nft_counter xt_conntrack xt_owner udf nft_compat crc_itu_t nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables nfnetlink vfat fat mlx5_ib ib_uverbs ib_core mlx5_core intel_rapl_msr intel_rapl_common kvm_amd ccp mlxfw kvm psample hyperv_drm tls drm_shmem_helper drm_kms_helper irqbypass pcspkr syscopyarea sysfillrect sysimgblt hv_balloon hv_utils joydev drm fuse xfs libcrc32c pci_hyperv pci_hyperv_intf sr_mod sd_mod cdrom t10_pi sg hv_storvsc scsi_transport_fc hv_netvsc serio_raw hyperv_keyboard hid_hyperv crct10dif_pclmul crc32_pclmul crc32c_intel hv_vmbus ghash_clmulni_intel dm_mirror dm_region_hash dm_log dm_mod [ 770.948863] CPU: 1 PID: 17197 Comm: systemd-sleep Not tainted 5.14.0-362.2.1.el9_3.x86_64 #1 [ 770.948865] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 05/09/2022 [ 770.948866] RIP: 0010:__flush_work.isra.0+0x212/0x230 [ 770.948869] Code: 8b 4d 00 4c 8b 45 08 89 ca 48 c1 e9 04 83 e2 08 83 e1 0f 83 ca 02 89 c8 48 0f ba 6d 00 03 e9 25 ff ff ff 0f 0b e9 4e ff ff ff <0f> 0b 45 31 ed e9 44 ff ff ff e8 8f 89 b2 00 66 66 2e 0f 1f 84 00 [ 770.948870] RSP: 0018:ffffaf4ac213fb10 EFLAGS: 00010246 [ 770.948871] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8c992857 [ 770.948872] RDX: 0000000000000001 RSI: 0000000000000001 RDI: ffff9aad82b00330 [ 770.948873] RBP: ffff9aad82b00330 R08: 0000000000000000 R09: ffff9aad87ee3d10 [ 770.948874] R10: 0000000000000200 R11: 0000000000000000 R12: ffff9aad82b00330 [ 770.948874] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 770.948875] FS: 00007ff1b2f6bb40(0000) GS:ffff9aaf37d00000(0000) knlGS:0000000000000000 [ 770.948878] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 770.948878] CR2: 0000555f345cb666 CR3: 00000001462dc005 CR4: 0000000000370ee0 [ 770.948879] Call Trace: [ 770.948880] <TASK> [ 770.948881] ? show_trace_log_lvl+0x1c4/0x2df [ 770.948884] ? show_trace_log_lvl+0x1c4/0x2df [ 770.948886] ? __cancel_work_timer+0x103/0x190 [ 770.948887] ? __flush_work.isra.0+0x212/0x230 [ 770.948889] ? __warn+0x81/0x110 [ 770.948891] ? __flush_work.isra.0+0x212/0x230 [ 770.948892] ? report_bug+0x10a/0x140 [ 770.948895] ? handle_bug+0x3c/0x70 [ 770.948898] ? exc_invalid_op+0x14/0x70 [ 770.948899] ? asm_exc_invalid_op+0x16/0x20 [ 770.948903] ? __flush_work.isra.0+0x212/0x230 [ 770.948905] __cancel_work_timer+0x103/0x190 [ 770.948907] ? _raw_spin_unlock_irqrestore+0xa/0x30 [ 770.948910] drm_kms_helper_poll_disable+0x1e/0x40 [drm_kms_helper] [ 770.948923] drm_mode_config_helper_suspend+0x1c/0x80 [drm_kms_helper] [ 770.948933] ? __pfx_vmbus_suspend+0x10/0x10 [hv_vmbus] [ 770.948942] hyperv_vmbus_suspend+0x17/0x40 [hyperv_drm] [ 770.948944] ? __pfx_vmbus_suspend+0x10/0x10 [hv_vmbus] [ 770.948951] dpm_run_callback+0x4c/0x140 [ 770.948954] __device_suspend_noir ---truncated---
AI Analysis
Technical Summary
CVE-2024-35927 is a medium-severity vulnerability in the Linux kernel related to the Direct Rendering Manager (DRM) subsystem, specifically within the drm_kms_helper component that manages kernel mode setting and output polling. The vulnerability arises because drm_kms_helper_poll_disable() does not verify whether output polling support has been initialized before attempting to disable it. This omission can lead to a suspend failure in drivers that do not initialize connector polling, such as the hyperv-drm driver used in Microsoft Hyper-V virtualized environments. When the system attempts to suspend without this check, it triggers a kernel warning and a stack trace indicating a failure in the workqueue flushing mechanism (__flush_work.isra.0). The root cause is that suspend and resume helper functions (drm_mode_config_helper_suspend() and drm_mode_config_helper_resume()) are invoked without confirming polling initialization, leading to improper handling of the polling state and ultimately causing system instability during suspend operations. The issue is particularly relevant for virtual machines running on Hyper-V with the hyperv-drm driver. The vulnerability has been addressed by adding checks to ensure polling is initialized before disabling it and by avoiding calls to suspend/resume helpers if polling is not set up. The CVSS v3.1 score is 5.5 (medium), reflecting a local attack vector requiring low privileges, no user interaction, and resulting in availability impact without confidentiality or integrity compromise. No known exploits are reported in the wild as of the publication date. The vulnerability affects Linux kernel versions identified by the commit hashes provided, and the fix is integrated into kernel updates post-disclosure.
Potential Impact
For European organizations, the impact of CVE-2024-35927 primarily concerns systems running Linux kernels with the affected drm_kms_helper code, especially those deployed in virtualized environments using Microsoft Hyper-V. The vulnerability can cause system suspend operations to fail, potentially leading to system instability, unexpected reboots, or denial of service conditions during power management events. This can disrupt critical services, especially in data centers or cloud environments where virtual machines rely on suspend/resume cycles for maintenance or power saving. Although the vulnerability does not compromise confidentiality or integrity, availability degradation can affect operational continuity. Organizations using Linux-based virtual machines on Hyper-V hosts, common in enterprise and cloud infrastructures across Europe, may experience increased downtime or require manual intervention to recover from suspend failures. The issue is less likely to affect bare-metal Linux servers or those using other virtualization platforms. Given the medium severity and local attack vector, exploitation would generally require access to the affected system with low privileges, limiting remote exploitation risks but emphasizing the need for internal security controls and patch management.
Mitigation Recommendations
To mitigate CVE-2024-35927, European organizations should: 1) Apply the latest Linux kernel updates that include the patch fixing the polling initialization checks in drm_kms_helper. This is the most effective mitigation. 2) For virtualized environments using Hyper-V, ensure that the hyperv-drm driver and related kernel modules are updated to versions containing the fix. 3) Implement strict access controls and monitoring on systems running affected kernels to prevent unauthorized local access, as exploitation requires local privileges. 4) Test suspend/resume operations in controlled environments after patching to verify stability and detect any residual issues. 5) Consider disabling connector polling or modifying power management configurations temporarily if immediate patching is not feasible, though this may impact functionality. 6) Maintain robust backup and recovery procedures to minimize downtime in case of suspend failures. 7) Monitor vendor advisories and Linux kernel mailing lists for any emerging exploit information or additional patches. These steps go beyond generic advice by focusing on virtualization-specific configurations and local privilege considerations.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Ireland, Belgium
CVE-2024-35927: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: drm: Check output polling initialized before disabling In drm_kms_helper_poll_disable() check if output polling support is initialized before disabling polling. If not flag this as a warning. Additionally in drm_mode_config_helper_suspend() and drm_mode_config_helper_resume() calls, that re the callers of these functions, avoid invoking them if polling is not initialized. For drivers like hyperv-drm, that do not initialize connector polling, if suspend is called without this check, it leads to suspend failure with following stack [ 770.719392] Freezing remaining freezable tasks ... (elapsed 0.001 seconds) done. [ 770.720592] printk: Suspending console(s) (use no_console_suspend to debug) [ 770.948823] ------------[ cut here ]------------ [ 770.948824] WARNING: CPU: 1 PID: 17197 at kernel/workqueue.c:3162 __flush_work.isra.0+0x212/0x230 [ 770.948831] Modules linked in: rfkill nft_counter xt_conntrack xt_owner udf nft_compat crc_itu_t nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables nfnetlink vfat fat mlx5_ib ib_uverbs ib_core mlx5_core intel_rapl_msr intel_rapl_common kvm_amd ccp mlxfw kvm psample hyperv_drm tls drm_shmem_helper drm_kms_helper irqbypass pcspkr syscopyarea sysfillrect sysimgblt hv_balloon hv_utils joydev drm fuse xfs libcrc32c pci_hyperv pci_hyperv_intf sr_mod sd_mod cdrom t10_pi sg hv_storvsc scsi_transport_fc hv_netvsc serio_raw hyperv_keyboard hid_hyperv crct10dif_pclmul crc32_pclmul crc32c_intel hv_vmbus ghash_clmulni_intel dm_mirror dm_region_hash dm_log dm_mod [ 770.948863] CPU: 1 PID: 17197 Comm: systemd-sleep Not tainted 5.14.0-362.2.1.el9_3.x86_64 #1 [ 770.948865] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 05/09/2022 [ 770.948866] RIP: 0010:__flush_work.isra.0+0x212/0x230 [ 770.948869] Code: 8b 4d 00 4c 8b 45 08 89 ca 48 c1 e9 04 83 e2 08 83 e1 0f 83 ca 02 89 c8 48 0f ba 6d 00 03 e9 25 ff ff ff 0f 0b e9 4e ff ff ff <0f> 0b 45 31 ed e9 44 ff ff ff e8 8f 89 b2 00 66 66 2e 0f 1f 84 00 [ 770.948870] RSP: 0018:ffffaf4ac213fb10 EFLAGS: 00010246 [ 770.948871] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8c992857 [ 770.948872] RDX: 0000000000000001 RSI: 0000000000000001 RDI: ffff9aad82b00330 [ 770.948873] RBP: ffff9aad82b00330 R08: 0000000000000000 R09: ffff9aad87ee3d10 [ 770.948874] R10: 0000000000000200 R11: 0000000000000000 R12: ffff9aad82b00330 [ 770.948874] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 770.948875] FS: 00007ff1b2f6bb40(0000) GS:ffff9aaf37d00000(0000) knlGS:0000000000000000 [ 770.948878] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 770.948878] CR2: 0000555f345cb666 CR3: 00000001462dc005 CR4: 0000000000370ee0 [ 770.948879] Call Trace: [ 770.948880] <TASK> [ 770.948881] ? show_trace_log_lvl+0x1c4/0x2df [ 770.948884] ? show_trace_log_lvl+0x1c4/0x2df [ 770.948886] ? __cancel_work_timer+0x103/0x190 [ 770.948887] ? __flush_work.isra.0+0x212/0x230 [ 770.948889] ? __warn+0x81/0x110 [ 770.948891] ? __flush_work.isra.0+0x212/0x230 [ 770.948892] ? report_bug+0x10a/0x140 [ 770.948895] ? handle_bug+0x3c/0x70 [ 770.948898] ? exc_invalid_op+0x14/0x70 [ 770.948899] ? asm_exc_invalid_op+0x16/0x20 [ 770.948903] ? __flush_work.isra.0+0x212/0x230 [ 770.948905] __cancel_work_timer+0x103/0x190 [ 770.948907] ? _raw_spin_unlock_irqrestore+0xa/0x30 [ 770.948910] drm_kms_helper_poll_disable+0x1e/0x40 [drm_kms_helper] [ 770.948923] drm_mode_config_helper_suspend+0x1c/0x80 [drm_kms_helper] [ 770.948933] ? __pfx_vmbus_suspend+0x10/0x10 [hv_vmbus] [ 770.948942] hyperv_vmbus_suspend+0x17/0x40 [hyperv_drm] [ 770.948944] ? __pfx_vmbus_suspend+0x10/0x10 [hv_vmbus] [ 770.948951] dpm_run_callback+0x4c/0x140 [ 770.948954] __device_suspend_noir ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-35927 is a medium-severity vulnerability in the Linux kernel related to the Direct Rendering Manager (DRM) subsystem, specifically within the drm_kms_helper component that manages kernel mode setting and output polling. The vulnerability arises because drm_kms_helper_poll_disable() does not verify whether output polling support has been initialized before attempting to disable it. This omission can lead to a suspend failure in drivers that do not initialize connector polling, such as the hyperv-drm driver used in Microsoft Hyper-V virtualized environments. When the system attempts to suspend without this check, it triggers a kernel warning and a stack trace indicating a failure in the workqueue flushing mechanism (__flush_work.isra.0). The root cause is that suspend and resume helper functions (drm_mode_config_helper_suspend() and drm_mode_config_helper_resume()) are invoked without confirming polling initialization, leading to improper handling of the polling state and ultimately causing system instability during suspend operations. The issue is particularly relevant for virtual machines running on Hyper-V with the hyperv-drm driver. The vulnerability has been addressed by adding checks to ensure polling is initialized before disabling it and by avoiding calls to suspend/resume helpers if polling is not set up. The CVSS v3.1 score is 5.5 (medium), reflecting a local attack vector requiring low privileges, no user interaction, and resulting in availability impact without confidentiality or integrity compromise. No known exploits are reported in the wild as of the publication date. The vulnerability affects Linux kernel versions identified by the commit hashes provided, and the fix is integrated into kernel updates post-disclosure.
Potential Impact
For European organizations, the impact of CVE-2024-35927 primarily concerns systems running Linux kernels with the affected drm_kms_helper code, especially those deployed in virtualized environments using Microsoft Hyper-V. The vulnerability can cause system suspend operations to fail, potentially leading to system instability, unexpected reboots, or denial of service conditions during power management events. This can disrupt critical services, especially in data centers or cloud environments where virtual machines rely on suspend/resume cycles for maintenance or power saving. Although the vulnerability does not compromise confidentiality or integrity, availability degradation can affect operational continuity. Organizations using Linux-based virtual machines on Hyper-V hosts, common in enterprise and cloud infrastructures across Europe, may experience increased downtime or require manual intervention to recover from suspend failures. The issue is less likely to affect bare-metal Linux servers or those using other virtualization platforms. Given the medium severity and local attack vector, exploitation would generally require access to the affected system with low privileges, limiting remote exploitation risks but emphasizing the need for internal security controls and patch management.
Mitigation Recommendations
To mitigate CVE-2024-35927, European organizations should: 1) Apply the latest Linux kernel updates that include the patch fixing the polling initialization checks in drm_kms_helper. This is the most effective mitigation. 2) For virtualized environments using Hyper-V, ensure that the hyperv-drm driver and related kernel modules are updated to versions containing the fix. 3) Implement strict access controls and monitoring on systems running affected kernels to prevent unauthorized local access, as exploitation requires local privileges. 4) Test suspend/resume operations in controlled environments after patching to verify stability and detect any residual issues. 5) Consider disabling connector polling or modifying power management configurations temporarily if immediate patching is not feasible, though this may impact functionality. 6) Maintain robust backup and recovery procedures to minimize downtime in case of suspend failures. 7) Monitor vendor advisories and Linux kernel mailing lists for any emerging exploit information or additional patches. These steps go beyond generic advice by focusing on virtualization-specific configurations and local privilege considerations.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-17T13:50:33.128Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682cd0fa1484d88663aebfe7
Added to database: 5/20/2025, 6:59:06 PM
Last enriched: 7/4/2025, 5:26:33 PM
Last updated: 8/12/2025, 4:28:56 AM
Views: 13
Related Threats
CVE-2025-55280: CWE-312: Cleartext Storage of Sensitive Information in ZKTeco Co WL20 Biometric Attendance System
MediumCVE-2025-55279: CWE-798: Use of Hard-coded Credentials in ZKTeco Co WL20 Biometric Attendance System
MediumCVE-2025-54465: CWE-798: Use of Hard-coded Credentials in ZKTeco Co WL20 Biometric Attendance System
MediumCVE-2025-54464: CWE-312: Cleartext Storage of Sensitive Information in ZKTeco Co WL20 Biometric Attendance System
HighCVE-2025-2713: CWE-269 Improper Privilege Management in Google gVisor
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.