CVE-2024-26943 in Linux
Summary
by MITRE • 05/01/2024
In the Linux kernel, the following vulnerability has been resolved:
nouveau/dmem: handle kcalloc() allocation failure
The kcalloc() in nouveau_dmem_evict_chunk() will return null if the physical memory has run out. As a result, if we dereference src_pfns, dst_pfns or dma_addrs, the null pointer dereference bugs will happen.
Moreover, the GPU is going away. If the kcalloc() fails, we could not evict all pages mapping a chunk. So this patch adds a __GFP_NOFAIL flag in kcalloc().
Finally, as there is no need to have physically contiguous memory, this patch switches kcalloc() to kvcalloc() in order to avoid failing allocations.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/26/2026
The vulnerability CVE-2024-26943 resides within the Linux kernel's nouveau graphics driver component, specifically addressing a critical memory management flaw in the dmem subsystem. This issue manifests as a null pointer dereference condition that occurs when the nouveau_dmem_evict_chunk() function attempts to allocate memory using kcalloc() during GPU memory eviction operations. The flaw represents a direct violation of proper error handling procedures and demonstrates a failure to account for memory allocation failures in critical kernel paths. The vulnerability is classified under CWE-476 as a null pointer dereference, which can lead to system instability and potential privilege escalation scenarios. The issue impacts systems utilizing NVIDIA graphics hardware where the nouveau driver is active, particularly those experiencing memory pressure conditions during GPU memory management operations.
The technical implementation flaw stems from the nouveau driver's failure to properly handle memory allocation failures in the GPU memory eviction process. When kcalloc() returns null due to insufficient physical memory, the subsequent code attempts to dereference pointers src_pfns, dst_pfns, or dma_addrs without checking for allocation success. This pattern creates a classic null pointer dereference scenario that can cause kernel panics and system crashes. The vulnerability is particularly dangerous because it occurs in a context where GPU memory management is critical for system stability, and the failure to handle allocation failures properly can lead to complete system termination. The root cause aligns with ATT&CK technique T1068 which involves exploiting weaknesses in system memory management and allocation routines to achieve system compromise.
The operational impact of this vulnerability extends beyond simple system crashes to potentially enable denial of service conditions that can affect graphics rendering capabilities and overall system performance. When the GPU is in a state of memory exhaustion, the failure to properly handle allocation errors means that the system cannot effectively manage memory eviction operations, leading to potential memory fragmentation and resource exhaustion. The vulnerability creates a cascading failure scenario where the inability to evict pages properly can cause the GPU subsystem to become unresponsive, affecting all applications that depend on graphics processing. Additionally, the system's ability to recover from memory pressure conditions is severely compromised, potentially leading to complete system instability during high memory usage scenarios.
The mitigation strategy implemented in this patch addresses the vulnerability through multiple defensive measures that align with established kernel security practices. The patch introduces the __GFP_NOFAIL flag in kcalloc() calls to ensure that memory allocation attempts will not fail under normal circumstances, providing a more robust approach to memory management in critical kernel paths. Furthermore, the patch transitions from kcalloc() to kvcalloc() to eliminate the possibility of allocation failures by utilizing kernel's virtual memory allocation mechanisms that are more resilient to memory pressure conditions. These changes align with kernel security best practices and address the fundamental flaw in the error handling mechanism while maintaining system stability. The solution demonstrates proper defensive programming techniques that prevent null pointer dereferences and ensure graceful degradation of functionality during resource-constrained conditions, thereby protecting against both immediate system crashes and potential exploitation scenarios that could arise from improper memory management.