CVE-2024-35957: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix WARN_ON in iommu probe path Commit 1a75cc710b95 ("iommu/vt-d: Use rbtree to track iommu probed devices") adds all devices probed by the iommu driver in a rbtree indexed by the source ID of each device. It assumes that each device has a unique source ID. This assumption is incorrect and the VT-d spec doesn't state this requirement either. The reason for using a rbtree to track devices is to look up the device with PCI bus and devfunc in the paths of handling ATS invalidation time out error and the PRI I/O page faults. Both are PCI ATS feature related. Only track the devices that have PCI ATS capabilities in the rbtree to avoid unnecessary WARN_ON in the iommu probe path. Otherwise, on some platforms below kernel splat will be displayed and the iommu probe results in failure. WARNING: CPU: 3 PID: 166 at drivers/iommu/intel/iommu.c:158 intel_iommu_probe_device+0x319/0xd90 Call Trace: <TASK> ? __warn+0x7e/0x180 ? intel_iommu_probe_device+0x319/0xd90 ? report_bug+0x1f8/0x200 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x18/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? intel_iommu_probe_device+0x319/0xd90 ? debug_mutex_init+0x37/0x50 __iommu_probe_device+0xf2/0x4f0 iommu_probe_device+0x22/0x70 iommu_bus_notifier+0x1e/0x40 notifier_call_chain+0x46/0x150 blocking_notifier_call_chain+0x42/0x60 bus_notify+0x2f/0x50 device_add+0x5ed/0x7e0 platform_device_add+0xf5/0x240 mfd_add_devices+0x3f9/0x500 ? preempt_count_add+0x4c/0xa0 ? up_write+0xa2/0x1b0 ? __debugfs_create_file+0xe3/0x150 intel_lpss_probe+0x49f/0x5b0 ? pci_conf1_write+0xa3/0xf0 intel_lpss_pci_probe+0xcf/0x110 [intel_lpss_pci] pci_device_probe+0x95/0x120 really_probe+0xd9/0x370 ? __pfx___driver_attach+0x10/0x10 __driver_probe_device+0x73/0x150 driver_probe_device+0x19/0xa0 __driver_attach+0xb6/0x180 ? __pfx___driver_attach+0x10/0x10 bus_for_each_dev+0x77/0xd0 bus_add_driver+0x114/0x210 driver_register+0x5b/0x110 ? __pfx_intel_lpss_pci_driver_init+0x10/0x10 [intel_lpss_pci] do_one_initcall+0x57/0x2b0 ? kmalloc_trace+0x21e/0x280 ? do_init_module+0x1e/0x210 do_init_module+0x5f/0x210 load_module+0x1d37/0x1fc0 ? init_module_from_file+0x86/0xd0 init_module_from_file+0x86/0xd0 idempotent_init_module+0x17c/0x230 __x64_sys_finit_module+0x56/0xb0 do_syscall_64+0x6e/0x140 entry_SYSCALL_64_after_hwframe+0x71/0x79
AI Analysis
Technical Summary
CVE-2024-35957 is a medium-severity vulnerability in the Linux kernel related to the Intel IOMMU (Input-Output Memory Management Unit) VT-d driver. The vulnerability arises from an incorrect assumption in the kernel code that each device probed by the IOMMU driver has a unique source ID. Specifically, a commit (1a75cc710b95) introduced a red-black tree (rbtree) data structure to track devices indexed by their source IDs. However, the VT-d specification does not guarantee uniqueness of source IDs across devices, leading to potential conflicts and erroneous behavior. The kernel code attempts to track only devices with PCI ATS (Address Translation Services) capabilities in this rbtree to avoid warnings and failures during the IOMMU probe path. Without this fix, some platforms may experience kernel warnings (WARN_ON) and probe failures, which can cause kernel panics (kernel splats) and disrupt system stability. The vulnerability manifests as a WARN_ON triggered during the probing of devices by the Intel IOMMU driver, potentially leading to system crashes or denial of service. The issue affects Linux kernel versions containing the specified commits and is resolved by restricting the rbtree tracking to PCI ATS-capable devices only. The CVSS 3.1 base score is 5.9 (medium), with attack vector local, low attack complexity, no privileges required, no user interaction, and impacts on confidentiality, integrity, and availability, albeit limited. There are no known exploits in the wild at this time. The vulnerability primarily affects systems using Intel VT-d IOMMU technology, which is common in servers and workstations requiring device isolation and DMA remapping for security and virtualization purposes.
Potential Impact
For European organizations, the impact of CVE-2024-35957 depends largely on their deployment of Linux systems with Intel VT-d enabled. Organizations running virtualized environments, cloud infrastructure, or high-security servers that rely on IOMMU for device isolation and protection may face system instability or denial of service due to kernel panics triggered by this vulnerability. This could lead to service outages, data integrity issues, and potential exposure of sensitive information if the system crashes during critical operations. While the vulnerability does not appear to allow remote code execution or privilege escalation directly, the resulting system instability can disrupt business operations and impact availability. Industries such as finance, telecommunications, government, and critical infrastructure in Europe, which often deploy Linux-based servers with advanced hardware features, may be particularly affected. The vulnerability's local attack vector means that an attacker or malicious insider with local access could trigger the issue, emphasizing the need for strict access controls. The absence of known exploits reduces immediate risk but does not eliminate the potential for future exploitation, especially in targeted attacks against high-value assets.
Mitigation Recommendations
European organizations should apply the Linux kernel patches that address CVE-2024-35957 as soon as they become available from their Linux distribution vendors. Specifically, ensure that kernel versions include the fix that restricts the rbtree tracking to PCI ATS-capable devices only. For environments where immediate patching is not feasible, consider disabling Intel VT-d IOMMU functionality temporarily if it does not critically impact operations, to avoid triggering the vulnerability. Additionally, implement strict local access controls and monitoring to prevent unauthorized users from exploiting local access to provoke kernel warnings or crashes. Regularly audit and update kernel versions and monitor vendor advisories for any related updates or exploit reports. In virtualized environments, ensure hypervisor and guest OS configurations are hardened and that device assignment policies do not expose vulnerable IOMMU paths. Employ kernel crash dump analysis and system monitoring to detect early signs of exploitation or instability related to this vulnerability. Finally, maintain robust backup and recovery procedures to mitigate the impact of potential denial-of-service conditions.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2024-35957: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix WARN_ON in iommu probe path Commit 1a75cc710b95 ("iommu/vt-d: Use rbtree to track iommu probed devices") adds all devices probed by the iommu driver in a rbtree indexed by the source ID of each device. It assumes that each device has a unique source ID. This assumption is incorrect and the VT-d spec doesn't state this requirement either. The reason for using a rbtree to track devices is to look up the device with PCI bus and devfunc in the paths of handling ATS invalidation time out error and the PRI I/O page faults. Both are PCI ATS feature related. Only track the devices that have PCI ATS capabilities in the rbtree to avoid unnecessary WARN_ON in the iommu probe path. Otherwise, on some platforms below kernel splat will be displayed and the iommu probe results in failure. WARNING: CPU: 3 PID: 166 at drivers/iommu/intel/iommu.c:158 intel_iommu_probe_device+0x319/0xd90 Call Trace: <TASK> ? __warn+0x7e/0x180 ? intel_iommu_probe_device+0x319/0xd90 ? report_bug+0x1f8/0x200 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x18/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? intel_iommu_probe_device+0x319/0xd90 ? debug_mutex_init+0x37/0x50 __iommu_probe_device+0xf2/0x4f0 iommu_probe_device+0x22/0x70 iommu_bus_notifier+0x1e/0x40 notifier_call_chain+0x46/0x150 blocking_notifier_call_chain+0x42/0x60 bus_notify+0x2f/0x50 device_add+0x5ed/0x7e0 platform_device_add+0xf5/0x240 mfd_add_devices+0x3f9/0x500 ? preempt_count_add+0x4c/0xa0 ? up_write+0xa2/0x1b0 ? __debugfs_create_file+0xe3/0x150 intel_lpss_probe+0x49f/0x5b0 ? pci_conf1_write+0xa3/0xf0 intel_lpss_pci_probe+0xcf/0x110 [intel_lpss_pci] pci_device_probe+0x95/0x120 really_probe+0xd9/0x370 ? __pfx___driver_attach+0x10/0x10 __driver_probe_device+0x73/0x150 driver_probe_device+0x19/0xa0 __driver_attach+0xb6/0x180 ? __pfx___driver_attach+0x10/0x10 bus_for_each_dev+0x77/0xd0 bus_add_driver+0x114/0x210 driver_register+0x5b/0x110 ? __pfx_intel_lpss_pci_driver_init+0x10/0x10 [intel_lpss_pci] do_one_initcall+0x57/0x2b0 ? kmalloc_trace+0x21e/0x280 ? do_init_module+0x1e/0x210 do_init_module+0x5f/0x210 load_module+0x1d37/0x1fc0 ? init_module_from_file+0x86/0xd0 init_module_from_file+0x86/0xd0 idempotent_init_module+0x17c/0x230 __x64_sys_finit_module+0x56/0xb0 do_syscall_64+0x6e/0x140 entry_SYSCALL_64_after_hwframe+0x71/0x79
AI-Powered Analysis
Technical Analysis
CVE-2024-35957 is a medium-severity vulnerability in the Linux kernel related to the Intel IOMMU (Input-Output Memory Management Unit) VT-d driver. The vulnerability arises from an incorrect assumption in the kernel code that each device probed by the IOMMU driver has a unique source ID. Specifically, a commit (1a75cc710b95) introduced a red-black tree (rbtree) data structure to track devices indexed by their source IDs. However, the VT-d specification does not guarantee uniqueness of source IDs across devices, leading to potential conflicts and erroneous behavior. The kernel code attempts to track only devices with PCI ATS (Address Translation Services) capabilities in this rbtree to avoid warnings and failures during the IOMMU probe path. Without this fix, some platforms may experience kernel warnings (WARN_ON) and probe failures, which can cause kernel panics (kernel splats) and disrupt system stability. The vulnerability manifests as a WARN_ON triggered during the probing of devices by the Intel IOMMU driver, potentially leading to system crashes or denial of service. The issue affects Linux kernel versions containing the specified commits and is resolved by restricting the rbtree tracking to PCI ATS-capable devices only. The CVSS 3.1 base score is 5.9 (medium), with attack vector local, low attack complexity, no privileges required, no user interaction, and impacts on confidentiality, integrity, and availability, albeit limited. There are no known exploits in the wild at this time. The vulnerability primarily affects systems using Intel VT-d IOMMU technology, which is common in servers and workstations requiring device isolation and DMA remapping for security and virtualization purposes.
Potential Impact
For European organizations, the impact of CVE-2024-35957 depends largely on their deployment of Linux systems with Intel VT-d enabled. Organizations running virtualized environments, cloud infrastructure, or high-security servers that rely on IOMMU for device isolation and protection may face system instability or denial of service due to kernel panics triggered by this vulnerability. This could lead to service outages, data integrity issues, and potential exposure of sensitive information if the system crashes during critical operations. While the vulnerability does not appear to allow remote code execution or privilege escalation directly, the resulting system instability can disrupt business operations and impact availability. Industries such as finance, telecommunications, government, and critical infrastructure in Europe, which often deploy Linux-based servers with advanced hardware features, may be particularly affected. The vulnerability's local attack vector means that an attacker or malicious insider with local access could trigger the issue, emphasizing the need for strict access controls. The absence of known exploits reduces immediate risk but does not eliminate the potential for future exploitation, especially in targeted attacks against high-value assets.
Mitigation Recommendations
European organizations should apply the Linux kernel patches that address CVE-2024-35957 as soon as they become available from their Linux distribution vendors. Specifically, ensure that kernel versions include the fix that restricts the rbtree tracking to PCI ATS-capable devices only. For environments where immediate patching is not feasible, consider disabling Intel VT-d IOMMU functionality temporarily if it does not critically impact operations, to avoid triggering the vulnerability. Additionally, implement strict local access controls and monitoring to prevent unauthorized users from exploiting local access to provoke kernel warnings or crashes. Regularly audit and update kernel versions and monitor vendor advisories for any related updates or exploit reports. In virtualized environments, ensure hypervisor and guest OS configurations are hardened and that device assignment policies do not expose vulnerable IOMMU paths. Employ kernel crash dump analysis and system monitoring to detect early signs of exploitation or instability related to this vulnerability. Finally, maintain robust backup and recovery procedures to mitigate the impact of potential denial-of-service conditions.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-17T13:50:33.136Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9828c4522896dcbe2291
Added to database: 5/21/2025, 9:08:56 AM
Last enriched: 6/29/2025, 8:39:31 AM
Last updated: 8/18/2025, 11:35:19 PM
Views: 20
Related Threats
CVE-2025-8064: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in aicwebtech Bible SuperSearch
MediumCVE-2025-8895: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in cozmoslabs WP Webhooks – Automate repetitive tasks by creating powerful automation workflows directly within WordPress
CriticalCVE-2025-7390: CWE-295 Improper Certificate Validation in Softing Industrial Automation GmbH OPC UA C++ SDK
CriticalCVE-2025-53505: Improper limitation of a pathname to a restricted directory ('Path Traversal') in Intermesh BV Group-Office
MediumCVE-2025-53504: Cross-site scripting (XSS) in Intermesh BV Group-Office
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.