CVE-2024-36888: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: workqueue: Fix selection of wake_cpu in kick_pool() With cpu_possible_mask=0-63 and cpu_online_mask=0-7 the following kernel oops was observed: smp: Bringing up secondary CPUs ... smp: Brought up 1 node, 8 CPUs Unable to handle kernel pointer dereference in virtual kernel address space Failing address: 0000000000000000 TEID: 0000000000000803 [..] Call Trace: arch_vcpu_is_preempted+0x12/0x80 select_idle_sibling+0x42/0x560 select_task_rq_fair+0x29a/0x3b0 try_to_wake_up+0x38e/0x6e0 kick_pool+0xa4/0x198 __queue_work.part.0+0x2bc/0x3a8 call_timer_fn+0x36/0x160 __run_timers+0x1e2/0x328 __run_timer_base+0x5a/0x88 run_timer_softirq+0x40/0x78 __do_softirq+0x118/0x388 irq_exit_rcu+0xc0/0xd8 do_ext_irq+0xae/0x168 ext_int_handler+0xbe/0xf0 psw_idle_exit+0x0/0xc default_idle_call+0x3c/0x110 do_idle+0xd4/0x158 cpu_startup_entry+0x40/0x48 rest_init+0xc6/0xc8 start_kernel+0x3c4/0x5e0 startup_continue+0x3c/0x50 The crash is caused by calling arch_vcpu_is_preempted() for an offline CPU. To avoid this, select the cpu with cpumask_any_and_distribute() to mask __pod_cpumask with cpu_online_mask. In case no cpu is left in the pool, skip the assignment. tj: This doesn't fully fix the bug as CPUs can still go down between picking the target CPU and the wake call. Fixing that likely requires adding cpu_online() test to either the sched or s390 arch code. However, regardless of how that is fixed, workqueue shouldn't be picking a CPU which isn't online as that would result in unpredictable and worse behavior.
AI Analysis
Technical Summary
CVE-2024-36888 is a vulnerability identified in the Linux kernel's workqueue subsystem, specifically related to the selection of the wake_cpu in the kick_pool() function. The issue arises when the kernel attempts to bring up secondary CPUs in a system configuration where cpu_possible_mask includes CPUs 0-63 but cpu_online_mask only includes CPUs 0-7. Under these conditions, a kernel oops (crash) occurs due to a null pointer dereference in the virtual kernel address space. The root cause is that the function arch_vcpu_is_preempted() is called for an offline CPU, which is invalid and leads to the crash. The vulnerability stems from the workqueue code selecting a CPU that is not currently online to wake up, which results in unpredictable behavior and system instability. The proposed fix involves using cpumask_any_and_distribute() to ensure that the CPU selected for the wake call is masked by the online CPUs, and skipping the assignment if no suitable CPU is found. However, the patch does not fully resolve the issue because CPUs can still go offline between the selection and the wake call, suggesting that additional checks (e.g., cpu_online() tests) in the scheduler or architecture-specific code (such as s390) are necessary for a complete fix. This vulnerability is classified under CWE-476 (NULL Pointer Dereference) and has a CVSS 3.1 base score of 6.2, indicating a medium severity level. The attack vector is local (AV:L), requiring no privileges (PR:N) or user interaction (UI:N), and impacts availability (A:H) without affecting confidentiality or integrity. No known exploits are currently reported in the wild, and no patches are linked yet, indicating that mitigation relies on applying forthcoming kernel updates once available.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running affected Linux kernel versions, especially those with multi-CPU configurations where some CPUs may be offline or dynamically managed. The kernel crash caused by this vulnerability can lead to denial of service (DoS) conditions, impacting availability of critical services and infrastructure. This is particularly concerning for data centers, cloud providers, telecom operators, and industrial control systems that rely on Linux for stability and uptime. Systems that perform CPU hotplugging or have complex CPU affinity configurations are at higher risk. While the vulnerability does not compromise confidentiality or integrity directly, the resulting system crashes can disrupt business operations, cause service outages, and potentially lead to cascading failures in dependent systems. European organizations with high availability requirements, such as financial institutions, healthcare providers, and public sector entities, may experience operational disruptions if this vulnerability is exploited or triggered inadvertently. The lack of known exploits reduces immediate risk, but the medium severity and potential for system instability necessitate prompt attention.
Mitigation Recommendations
To mitigate CVE-2024-36888, European organizations should: 1) Monitor Linux kernel updates closely and apply patches as soon as they are released by trusted sources or distributions, ensuring that the fix for the workqueue wake_cpu selection is included. 2) Audit and review CPU hotplug and affinity configurations to minimize scenarios where CPUs are offline but still targeted by kernel workqueue operations. 3) Implement kernel crash monitoring and alerting to detect early signs of this vulnerability manifesting, enabling rapid response and system recovery. 4) For critical systems, consider temporarily restricting CPU hotplug operations or limiting dynamic CPU management until a full fix is applied. 5) Engage with Linux distribution vendors and maintainers to verify that the kernel versions deployed in production environments incorporate the necessary fixes. 6) Conduct thorough testing in staging environments with multi-CPU setups to identify any instability related to this issue before deploying updates in production. 7) Document and prepare incident response plans for potential DoS scenarios caused by kernel crashes, ensuring minimal operational impact.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2024-36888: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: workqueue: Fix selection of wake_cpu in kick_pool() With cpu_possible_mask=0-63 and cpu_online_mask=0-7 the following kernel oops was observed: smp: Bringing up secondary CPUs ... smp: Brought up 1 node, 8 CPUs Unable to handle kernel pointer dereference in virtual kernel address space Failing address: 0000000000000000 TEID: 0000000000000803 [..] Call Trace: arch_vcpu_is_preempted+0x12/0x80 select_idle_sibling+0x42/0x560 select_task_rq_fair+0x29a/0x3b0 try_to_wake_up+0x38e/0x6e0 kick_pool+0xa4/0x198 __queue_work.part.0+0x2bc/0x3a8 call_timer_fn+0x36/0x160 __run_timers+0x1e2/0x328 __run_timer_base+0x5a/0x88 run_timer_softirq+0x40/0x78 __do_softirq+0x118/0x388 irq_exit_rcu+0xc0/0xd8 do_ext_irq+0xae/0x168 ext_int_handler+0xbe/0xf0 psw_idle_exit+0x0/0xc default_idle_call+0x3c/0x110 do_idle+0xd4/0x158 cpu_startup_entry+0x40/0x48 rest_init+0xc6/0xc8 start_kernel+0x3c4/0x5e0 startup_continue+0x3c/0x50 The crash is caused by calling arch_vcpu_is_preempted() for an offline CPU. To avoid this, select the cpu with cpumask_any_and_distribute() to mask __pod_cpumask with cpu_online_mask. In case no cpu is left in the pool, skip the assignment. tj: This doesn't fully fix the bug as CPUs can still go down between picking the target CPU and the wake call. Fixing that likely requires adding cpu_online() test to either the sched or s390 arch code. However, regardless of how that is fixed, workqueue shouldn't be picking a CPU which isn't online as that would result in unpredictable and worse behavior.
AI-Powered Analysis
Technical Analysis
CVE-2024-36888 is a vulnerability identified in the Linux kernel's workqueue subsystem, specifically related to the selection of the wake_cpu in the kick_pool() function. The issue arises when the kernel attempts to bring up secondary CPUs in a system configuration where cpu_possible_mask includes CPUs 0-63 but cpu_online_mask only includes CPUs 0-7. Under these conditions, a kernel oops (crash) occurs due to a null pointer dereference in the virtual kernel address space. The root cause is that the function arch_vcpu_is_preempted() is called for an offline CPU, which is invalid and leads to the crash. The vulnerability stems from the workqueue code selecting a CPU that is not currently online to wake up, which results in unpredictable behavior and system instability. The proposed fix involves using cpumask_any_and_distribute() to ensure that the CPU selected for the wake call is masked by the online CPUs, and skipping the assignment if no suitable CPU is found. However, the patch does not fully resolve the issue because CPUs can still go offline between the selection and the wake call, suggesting that additional checks (e.g., cpu_online() tests) in the scheduler or architecture-specific code (such as s390) are necessary for a complete fix. This vulnerability is classified under CWE-476 (NULL Pointer Dereference) and has a CVSS 3.1 base score of 6.2, indicating a medium severity level. The attack vector is local (AV:L), requiring no privileges (PR:N) or user interaction (UI:N), and impacts availability (A:H) without affecting confidentiality or integrity. No known exploits are currently reported in the wild, and no patches are linked yet, indicating that mitigation relies on applying forthcoming kernel updates once available.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running affected Linux kernel versions, especially those with multi-CPU configurations where some CPUs may be offline or dynamically managed. The kernel crash caused by this vulnerability can lead to denial of service (DoS) conditions, impacting availability of critical services and infrastructure. This is particularly concerning for data centers, cloud providers, telecom operators, and industrial control systems that rely on Linux for stability and uptime. Systems that perform CPU hotplugging or have complex CPU affinity configurations are at higher risk. While the vulnerability does not compromise confidentiality or integrity directly, the resulting system crashes can disrupt business operations, cause service outages, and potentially lead to cascading failures in dependent systems. European organizations with high availability requirements, such as financial institutions, healthcare providers, and public sector entities, may experience operational disruptions if this vulnerability is exploited or triggered inadvertently. The lack of known exploits reduces immediate risk, but the medium severity and potential for system instability necessitate prompt attention.
Mitigation Recommendations
To mitigate CVE-2024-36888, European organizations should: 1) Monitor Linux kernel updates closely and apply patches as soon as they are released by trusted sources or distributions, ensuring that the fix for the workqueue wake_cpu selection is included. 2) Audit and review CPU hotplug and affinity configurations to minimize scenarios where CPUs are offline but still targeted by kernel workqueue operations. 3) Implement kernel crash monitoring and alerting to detect early signs of this vulnerability manifesting, enabling rapid response and system recovery. 4) For critical systems, consider temporarily restricting CPU hotplug operations or limiting dynamic CPU management until a full fix is applied. 5) Engage with Linux distribution vendors and maintainers to verify that the kernel versions deployed in production environments incorporate the necessary fixes. 6) Conduct thorough testing in staging environments with multi-CPU setups to identify any instability related to this issue before deploying updates in production. 7) Document and prepare incident response plans for potential DoS scenarios caused by kernel crashes, ensuring minimal operational impact.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-30T15:25:07.065Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9828c4522896dcbe2591
Added to database: 5/21/2025, 9:08:56 AM
Last enriched: 6/29/2025, 9:55:08 AM
Last updated: 7/31/2025, 8:27:02 AM
Views: 16
Related Threats
CVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9087: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.