CVE-2024-26945 in Linuxinfo

Summary

by MITRE • 05/01/2024

In the Linux kernel, the following vulnerability has been resolved:

crypto: iaa - Fix nr_cpus < nr_iaa case

If nr_cpus < nr_iaa, the calculated cpus_per_iaa will be 0, which causes a divide-by-0 in rebalance_wq_table().

Make sure cpus_per_iaa is 1 in that case, and also in the nr_iaa == 0 case, even though cpus_per_iaa is never used if nr_iaa == 0, for paranoia.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 01/26/2026

The vulnerability identified as CVE-2024-26945 resides within the Linux kernel's cryptographic subsystem, specifically affecting the iaa (Intel Advanced Acceleration) crypto driver implementation. This issue demonstrates a classic divide-by-zero error that occurs during kernel runtime when the number of available CPU cores falls below the number of iaa hardware acceleration units. The flaw manifests in the rebalance_wq_table() function where the system attempts to calculate the distribution of CPU resources among hardware acceleration units. When the system detects that the number of CPU cores (nr_cpus) is less than the number of iaa units (nr_iaa), the calculation of cpus_per_iaa results in a value of zero, leading to a mathematical division by zero error that crashes the kernel or causes system instability.

The technical root cause of this vulnerability aligns with CWE-369, which specifically addresses the divide-by-zero error condition in software systems. The kernel's cryptographic subsystem attempts to distribute work queue tables across available CPU cores and iaa hardware units, but fails to properly handle edge cases where the resource allocation calculation becomes invalid. The problem occurs during system initialization or when the kernel attempts to rebalance work queue tables in response to system changes. The division operation that computes cpus_per_iaa becomes undefined when nr_iaa exceeds nr_cpus, creating a critical fault condition that can lead to kernel panics or system crashes.

This vulnerability impacts the overall system stability and reliability of Linux systems that utilize Intel Advanced Acceleration hardware for cryptographic operations. The operational consequences extend beyond simple system crashes to potentially compromise the integrity of cryptographic processes that depend on hardware acceleration. Attackers could potentially exploit this vulnerability to cause denial-of-service conditions, particularly in environments where cryptographic workloads are intensive and system uptime is critical. The flaw affects systems running kernel versions prior to the patch release that addresses this specific divide-by-zero condition. The impact is particularly severe in high-performance computing environments, cloud infrastructure, or any system where hardware-accelerated cryptography is heavily utilized.

The mitigation strategy for CVE-2024-26945 involves applying the kernel patch that ensures cpus_per_iaa is set to 1 when nr_cpus is less than nr_iaa, and also handles the edge case where nr_iaa equals zero. This approach prevents the mathematical error by establishing minimum values for resource allocation calculations, thereby maintaining system stability even under suboptimal hardware configurations. Organizations should prioritize kernel updates and ensure all systems running cryptographic workloads are patched promptly to prevent exploitation. The fix also incorporates defensive programming practices that align with ATT&CK technique T1499.004, which addresses system disruption through kernel-level vulnerabilities. Regular system monitoring and vulnerability assessment procedures should be implemented to identify and remediate similar edge case vulnerabilities in cryptographic subsystems. The patch demonstrates proper error handling and resource management practices that prevent cascading failures in kernel subsystems that rely on dynamic resource allocation calculations.

Reservation

02/19/2024

Disclosure

05/01/2024

Moderation

accepted

CPE

ready

EPSS

0.00238

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!