CVE-2024-26714 in Linuxinfo

Summary

by MITRE • 04/03/2024

In the Linux kernel, the following vulnerability has been resolved:

interconnect: qcom: sc8180x: Mark CO0 BCM keepalive

The CO0 BCM needs to be up at all times, otherwise some hardware (like the UFS controller) loses its connection to the rest of the SoC, resulting in a hang of the platform, accompanied by a spectacular logspam.

Mark it as keepalive to prevent such cases.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 08/03/2025

The vulnerability identified as CVE-2024-26714 affects the Linux kernel's interconnect subsystem, specifically within the Qualcomm sc8180x platform implementation. This issue resides in the device tree configuration where the CO0 BCM (Bus Clock Manager) component is not properly marked as a keepalive resource. The CO0 BCM serves as a critical clock management unit that maintains essential communication pathways within the system-on-chip architecture, particularly for peripheral controllers that require continuous clock signals to operate correctly. When this component is not maintained in an active state, it creates a cascading failure condition that impacts the entire system's operational integrity.

The technical flaw stems from improper resource management within the interconnect driver for Qualcomm's sc8180x SoC platform. The CO0 BCM component is responsible for maintaining clock signals to various hardware peripherals, including the UFS (Universal Flash Storage) controller which is essential for storage operations. Without the keepalive designation, the system may shut down or deactivate this critical clock management unit during normal operation, leading to a complete platform hang. This occurs because the UFS controller and other peripherals lose their connection to the rest of the SoC, creating a state where the system becomes unresponsive and unable to process further operations. The vulnerability demonstrates a failure in resource lifecycle management where critical system components are not properly protected from automatic deactivation or shutdown.

The operational impact of this vulnerability is severe and directly affects system stability and availability. When the CO0 BCM is not marked as keepalive, the platform experiences complete hangs that render the system unusable, forcing administrators to perform hard resets or power cycles to recover. The associated logspam indicates that the system generates extensive error messages during the failure state, which can overwhelm logging systems and make troubleshooting difficult. This vulnerability particularly affects devices running on Qualcomm's sc8180x platform that rely on UFS storage controllers and other peripherals that depend on continuous clock signals. The platform hang condition creates a denial of service scenario that can result in data loss, service interruption, and potential hardware damage from forced shutdowns. The vulnerability represents a fundamental failure in system resource management that affects the core operational capabilities of affected devices.

The mitigation for this vulnerability involves updating the Linux kernel to a version that includes the fix implementing the keepalive marking for the CO0 BCM component. This fix addresses the root cause by ensuring that the critical clock management unit remains active throughout system operation, preventing the automatic shutdown that leads to platform hangs. System administrators should prioritize kernel updates, particularly for devices running on Qualcomm sc8180x platforms, to prevent exploitation of this vulnerability. The fix aligns with the common security principle of least privilege and resource protection, ensuring that critical system components are not inadvertently deactivated. Additionally, system monitoring should be implemented to detect any unusual behavior in clock management units that might indicate similar issues in other components. This vulnerability highlights the importance of proper resource management in embedded systems and demonstrates how seemingly minor configuration issues can lead to catastrophic system failures.

This vulnerability corresponds to CWE-691, which addresses insufficient protection of security-critical resources, and aligns with ATT&CK technique T1490, which covers Execution Guardrails and Resource Exhaustion. The fix represents a proper implementation of resource lifecycle management practices that ensure critical system components maintain their operational status. The issue demonstrates the importance of maintaining proper device tree configurations for embedded systems and highlights how resource management failures can lead to complete system compromise rather than just functional degradation.

Reservation

02/19/2024

Disclosure

04/03/2024

Moderation

accepted

CPE

ready

EPSS

0.00227

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!