CVE-2024-38661: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: s390/ap: Fix crash in AP internal function modify_bitmap() A system crash like this Failing address: 200000cb7df6f000 TEID: 200000cb7df6f403 Fault in home space mode while using kernel ASCE. AS:00000002d71bc007 R3:00000003fe5b8007 S:000000011a446000 P:000000015660c13d Oops: 0038 ilc:3 [#1] PREEMPT SMP Modules linked in: mlx5_ib ... CPU: 8 PID: 7556 Comm: bash Not tainted 6.9.0-rc7 #8 Hardware name: IBM 3931 A01 704 (LPAR) Krnl PSW : 0704e00180000000 0000014b75e7b606 (ap_parse_bitmap_str+0x10e/0x1f8) R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3 Krnl GPRS: 0000000000000001 ffffffffffffffc0 0000000000000001 00000048f96b75d3 000000cb00000100 ffffffffffffffff ffffffffffffffff 000000cb7df6fce0 000000cb7df6fce0 00000000ffffffff 000000000000002b 00000048ffffffff 000003ff9b2dbc80 200000cb7df6fcd8 0000014bffffffc0 000000cb7df6fbc8 Krnl Code: 0000014b75e7b5fc: a7840047 brc 8,0000014b75e7b68a 0000014b75e7b600: 18b2 lr %r11,%r2 #0000014b75e7b602: a7f4000a brc 15,0000014b75e7b616 >0000014b75e7b606: eb22d00000e6 laog %r2,%r2,0(%r13) 0000014b75e7b60c: a7680001 lhi %r6,1 0000014b75e7b610: 187b lr %r7,%r11 0000014b75e7b612: 84960021 brxh %r9,%r6,0000014b75e7b654 0000014b75e7b616: 18e9 lr %r14,%r9 Call Trace: [<0000014b75e7b606>] ap_parse_bitmap_str+0x10e/0x1f8 ([<0000014b75e7b5dc>] ap_parse_bitmap_str+0xe4/0x1f8) [<0000014b75e7b758>] apmask_store+0x68/0x140 [<0000014b75679196>] kernfs_fop_write_iter+0x14e/0x1e8 [<0000014b75598524>] vfs_write+0x1b4/0x448 [<0000014b7559894c>] ksys_write+0x74/0x100 [<0000014b7618a440>] __do_syscall+0x268/0x328 [<0000014b761a3558>] system_call+0x70/0x98 INFO: lockdep is turned off. Last Breaking-Event-Address: [<0000014b75e7b636>] ap_parse_bitmap_str+0x13e/0x1f8 Kernel panic - not syncing: Fatal exception: panic_on_oops occured when /sys/bus/ap/a[pq]mask was updated with a relative mask value (like +0x10-0x12,+60,-90) with one of the numeric values exceeding INT_MAX. The fix is simple: use unsigned long values for the internal variables. The correct checks are already in place in the function but a simple int for the internal variables was used with the possibility to overflow.
AI Analysis
Technical Summary
CVE-2024-38661 is a vulnerability identified in the Linux kernel specifically affecting the s390 architecture's AP (Access Path) internal function modify_bitmap(). The issue arises when updating the /sys/bus/ap/apmask or /sys/bus/ap/apqmask files with relative mask values containing numeric components exceeding the maximum value of a signed 32-bit integer (INT_MAX). Internally, the function ap_parse_bitmap_str() uses signed int variables to process these values, which can overflow when large unsigned values are provided. This overflow leads to incorrect memory addressing and ultimately causes a kernel crash or panic. The crash manifests as a fatal exception with kernel oops messages and a kernel panic due to panic_on_oops being enabled. The root cause is the use of signed int variables where unsigned long should have been used to safely handle large mask values. The vulnerability is triggered by writing crafted relative mask values to the AP mask sysfs interface, which is specific to IBM s390 mainframe hardware running Linux. The fix involves changing internal variables to unsigned long to prevent overflow and ensure proper bounds checking. This vulnerability does not appear to have known exploits in the wild and affects specific Linux kernel versions prior to the patch commit referenced by the hash 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2. The vulnerability is architecture-specific and impacts systems using the s390 AP bus subsystem, which is niche and primarily found in IBM mainframe environments.
Potential Impact
For European organizations, the impact of CVE-2024-38661 is largely confined to those operating IBM s390 mainframe systems running affected Linux kernel versions. Such systems are typically used in large enterprises, financial institutions, government agencies, and critical infrastructure sectors that rely on mainframe computing for high availability and secure transaction processing. A kernel crash or panic caused by this vulnerability could lead to denial of service conditions, disrupting critical business operations and potentially causing data processing delays. Although this vulnerability does not directly lead to privilege escalation or data leakage, the availability impact on mission-critical mainframe workloads could be significant. Recovery from kernel panics on mainframes can be complex and time-consuming, increasing operational risk. Given the specialized nature of the affected hardware and software, the threat is not widespread but should be taken seriously by organizations with mainframe deployments in Europe. The lack of known exploits reduces immediate risk, but the vulnerability could be leveraged in targeted attacks or accidental misconfigurations.
Mitigation Recommendations
European organizations using IBM s390 mainframes with Linux should promptly apply the official Linux kernel patches that address CVE-2024-38661. Since the fix involves changing internal kernel variables from signed int to unsigned long, upgrading to the patched kernel version identified by the commit hash 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 or later is essential. In addition, administrators should audit and restrict write access to the /sys/bus/ap/apmask and /sys/bus/ap/apqmask sysfs interfaces to trusted users only, minimizing the risk of accidental or malicious triggering of the vulnerability. Implementing kernel crash monitoring and automated recovery procedures can reduce downtime in case of unexpected panics. Organizations should also review operational procedures to avoid using relative mask values with large numeric components that could trigger the overflow. Maintaining up-to-date kernel versions and subscribing to vendor security advisories for IBM mainframe Linux distributions will ensure timely awareness of related vulnerabilities. Finally, testing kernel updates in staging environments before production deployment is recommended to prevent unintended disruptions.
Affected Countries
Germany, United Kingdom, France, Netherlands, Italy, Switzerland
CVE-2024-38661: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: s390/ap: Fix crash in AP internal function modify_bitmap() A system crash like this Failing address: 200000cb7df6f000 TEID: 200000cb7df6f403 Fault in home space mode while using kernel ASCE. AS:00000002d71bc007 R3:00000003fe5b8007 S:000000011a446000 P:000000015660c13d Oops: 0038 ilc:3 [#1] PREEMPT SMP Modules linked in: mlx5_ib ... CPU: 8 PID: 7556 Comm: bash Not tainted 6.9.0-rc7 #8 Hardware name: IBM 3931 A01 704 (LPAR) Krnl PSW : 0704e00180000000 0000014b75e7b606 (ap_parse_bitmap_str+0x10e/0x1f8) R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3 Krnl GPRS: 0000000000000001 ffffffffffffffc0 0000000000000001 00000048f96b75d3 000000cb00000100 ffffffffffffffff ffffffffffffffff 000000cb7df6fce0 000000cb7df6fce0 00000000ffffffff 000000000000002b 00000048ffffffff 000003ff9b2dbc80 200000cb7df6fcd8 0000014bffffffc0 000000cb7df6fbc8 Krnl Code: 0000014b75e7b5fc: a7840047 brc 8,0000014b75e7b68a 0000014b75e7b600: 18b2 lr %r11,%r2 #0000014b75e7b602: a7f4000a brc 15,0000014b75e7b616 >0000014b75e7b606: eb22d00000e6 laog %r2,%r2,0(%r13) 0000014b75e7b60c: a7680001 lhi %r6,1 0000014b75e7b610: 187b lr %r7,%r11 0000014b75e7b612: 84960021 brxh %r9,%r6,0000014b75e7b654 0000014b75e7b616: 18e9 lr %r14,%r9 Call Trace: [<0000014b75e7b606>] ap_parse_bitmap_str+0x10e/0x1f8 ([<0000014b75e7b5dc>] ap_parse_bitmap_str+0xe4/0x1f8) [<0000014b75e7b758>] apmask_store+0x68/0x140 [<0000014b75679196>] kernfs_fop_write_iter+0x14e/0x1e8 [<0000014b75598524>] vfs_write+0x1b4/0x448 [<0000014b7559894c>] ksys_write+0x74/0x100 [<0000014b7618a440>] __do_syscall+0x268/0x328 [<0000014b761a3558>] system_call+0x70/0x98 INFO: lockdep is turned off. Last Breaking-Event-Address: [<0000014b75e7b636>] ap_parse_bitmap_str+0x13e/0x1f8 Kernel panic - not syncing: Fatal exception: panic_on_oops occured when /sys/bus/ap/a[pq]mask was updated with a relative mask value (like +0x10-0x12,+60,-90) with one of the numeric values exceeding INT_MAX. The fix is simple: use unsigned long values for the internal variables. The correct checks are already in place in the function but a simple int for the internal variables was used with the possibility to overflow.
AI-Powered Analysis
Technical Analysis
CVE-2024-38661 is a vulnerability identified in the Linux kernel specifically affecting the s390 architecture's AP (Access Path) internal function modify_bitmap(). The issue arises when updating the /sys/bus/ap/apmask or /sys/bus/ap/apqmask files with relative mask values containing numeric components exceeding the maximum value of a signed 32-bit integer (INT_MAX). Internally, the function ap_parse_bitmap_str() uses signed int variables to process these values, which can overflow when large unsigned values are provided. This overflow leads to incorrect memory addressing and ultimately causes a kernel crash or panic. The crash manifests as a fatal exception with kernel oops messages and a kernel panic due to panic_on_oops being enabled. The root cause is the use of signed int variables where unsigned long should have been used to safely handle large mask values. The vulnerability is triggered by writing crafted relative mask values to the AP mask sysfs interface, which is specific to IBM s390 mainframe hardware running Linux. The fix involves changing internal variables to unsigned long to prevent overflow and ensure proper bounds checking. This vulnerability does not appear to have known exploits in the wild and affects specific Linux kernel versions prior to the patch commit referenced by the hash 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2. The vulnerability is architecture-specific and impacts systems using the s390 AP bus subsystem, which is niche and primarily found in IBM mainframe environments.
Potential Impact
For European organizations, the impact of CVE-2024-38661 is largely confined to those operating IBM s390 mainframe systems running affected Linux kernel versions. Such systems are typically used in large enterprises, financial institutions, government agencies, and critical infrastructure sectors that rely on mainframe computing for high availability and secure transaction processing. A kernel crash or panic caused by this vulnerability could lead to denial of service conditions, disrupting critical business operations and potentially causing data processing delays. Although this vulnerability does not directly lead to privilege escalation or data leakage, the availability impact on mission-critical mainframe workloads could be significant. Recovery from kernel panics on mainframes can be complex and time-consuming, increasing operational risk. Given the specialized nature of the affected hardware and software, the threat is not widespread but should be taken seriously by organizations with mainframe deployments in Europe. The lack of known exploits reduces immediate risk, but the vulnerability could be leveraged in targeted attacks or accidental misconfigurations.
Mitigation Recommendations
European organizations using IBM s390 mainframes with Linux should promptly apply the official Linux kernel patches that address CVE-2024-38661. Since the fix involves changing internal kernel variables from signed int to unsigned long, upgrading to the patched kernel version identified by the commit hash 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 or later is essential. In addition, administrators should audit and restrict write access to the /sys/bus/ap/apmask and /sys/bus/ap/apqmask sysfs interfaces to trusted users only, minimizing the risk of accidental or malicious triggering of the vulnerability. Implementing kernel crash monitoring and automated recovery procedures can reduce downtime in case of unexpected panics. Organizations should also review operational procedures to avoid using relative mask values with large numeric components that could trigger the overflow. Maintaining up-to-date kernel versions and subscribing to vendor security advisories for IBM mainframe Linux distributions will ensure timely awareness of related vulnerabilities. Finally, testing kernel updates in staging environments before production deployment is recommended to prevent unintended disruptions.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-06-24T13:53:25.560Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9829c4522896dcbe2bf9
Added to database: 5/21/2025, 9:08:57 AM
Last enriched: 6/29/2025, 12:12:17 PM
Last updated: 8/12/2025, 4:15:47 AM
Views: 21
Related Threats
CVE-2025-8064: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in aicwebtech Bible SuperSearch
MediumCVE-2025-8895: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in cozmoslabs WP Webhooks – Automate repetitive tasks by creating powerful automation workflows directly within WordPress
CriticalCVE-2025-7390: CWE-295 Improper Certificate Validation in Softing Industrial Automation GmbH OPC UA C++ SDK
CriticalCVE-2025-53505: Improper limitation of a pathname to a restricted directory ('Path Traversal') in Intermesh BV Group-Office
MediumCVE-2025-53504: Cross-site scripting (XSS) in Intermesh BV Group-Office
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.