CVE-2024-26957 in Linuxinfo

Summary

by MITRE • 05/01/2024

In the Linux kernel, the following vulnerability has been resolved:

s390/zcrypt: fix reference counting on zcrypt card objects

Tests with hot-plugging crytpo cards on KVM guests with debug kernel build revealed an use after free for the load field of the struct zcrypt_card. The reason was an incorrect reference handling of the zcrypt card object which could lead to a free of the zcrypt card object while it was still in use.

This is an example of the slab message:

kernel: 0x00000000885a7512-0x00000000885a7513 @offset=1298. First byte 0x68 instead of 0x6b kernel: Allocated in zcrypt_card_alloc+0x36/0x70 [zcrypt] age=18046 cpu=3 pid=43
kernel: kmalloc_trace+0x3f2/0x470 kernel: zcrypt_card_alloc+0x36/0x70 [zcrypt]
kernel: zcrypt_cex4_card_probe+0x26/0x380 [zcrypt_cex4]
kernel: ap_device_probe+0x15c/0x290 kernel: really_probe+0xd2/0x468 kernel: driver_probe_device+0x40/0xf0 kernel: __device_attach_driver+0xc0/0x140 kernel: bus_for_each_drv+0x8c/0xd0 kernel: __device_attach+0x114/0x198 kernel: bus_probe_device+0xb4/0xc8 kernel: device_add+0x4d2/0x6e0 kernel: ap_scan_adapter+0x3d0/0x7c0 kernel: ap_scan_bus+0x5a/0x3b0 kernel: ap_scan_bus_wq_callback+0x40/0x60 kernel: process_one_work+0x26e/0x620 kernel: worker_thread+0x21c/0x440 kernel: Freed in zcrypt_card_put+0x54/0x80 [zcrypt] age=9024 cpu=3 pid=43
kernel: kfree+0x37e/0x418 kernel: zcrypt_card_put+0x54/0x80 [zcrypt]
kernel: ap_device_remove+0x4c/0xe0 kernel: device_release_driver_internal+0x1c4/0x270 kernel: bus_remove_device+0x100/0x188 kernel: device_del+0x164/0x3c0 kernel: device_unregister+0x30/0x90 kernel: ap_scan_adapter+0xc8/0x7c0 kernel: ap_scan_bus+0x5a/0x3b0 kernel: ap_scan_bus_wq_callback+0x40/0x60 kernel: process_one_work+0x26e/0x620 kernel: worker_thread+0x21c/0x440 kernel: kthread+0x150/0x168 kernel: __ret_from_fork+0x3c/0x58 kernel: ret_from_fork+0xa/0x30 kernel: Slab 0x00000372022169c0 objects=20 used=18 fp=0x00000000885a7c88 flags=0x3ffff00000000a00(workingset|slab|node=0|zone=1|lastcpupid=0x1ffff) kernel: Object 0x00000000885a74b8 @offset=1208 fp=0x00000000885a7c88 kernel: Redzone 00000000885a74b0: bb bb bb bb bb bb bb bb ........ kernel: Object 00000000885a74b8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk kernel: Object 00000000885a74c8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk kernel: Object 00000000885a74d8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk kernel: Object 00000000885a74e8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk kernel: Object 00000000885a74f8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk kernel: Object 00000000885a7508: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 68 4b 6b 6b 6b a5 kkkkkkkkkkhKkkk. kernel: Redzone 00000000885a7518: bb bb bb bb bb bb bb bb ........ kernel: Padding 00000000885a756c: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZ kernel: CPU: 0 PID: 387 Comm: systemd-udevd Not tainted 6.8.0-HF #2 kernel: Hardware name: IBM 3931 A01 704 (KVM/Linux) kernel: Call Trace: kernel: [] dump_stack_lvl+0x90/0x120
kernel: [] check_bytes_and_report+0x114/0x140
kernel: [] check_object+0x334/0x3f8
kernel: [] alloc_debug_processing+0xc4/0x1f8
kernel: [] get_partial_node.part.0+0x1ee/0x3e0
kernel: [] ___slab_alloc+0xaf4/0x13c8
kernel: [] __slab_alloc.constprop.0+0x78/0xb8
kernel: [] __kmalloc+0x434/0x590
kernel: [] ext4_htree_store_dirent+0x4e/0x1c0
kernel: [] htree_dirblock_to_tree+0x17a/0x3f0
kernel: ---truncated---

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 01/26/2026

The vulnerability CVE-2024-26957 affects the Linux kernel's s390/zcrypt subsystem, specifically targeting reference counting mechanisms for zcrypt card objects. This issue manifests as a use-after-free condition on the load field of the struct zcrypt_card, which occurs during hot-plugging crypto cards in KVM guests with debug kernel builds. The flaw stems from improper handling of reference counts for zcrypt card objects, leading to scenarios where the kernel attempts to free memory that is still actively in use by the cryptographic subsystem.

The technical root cause involves incorrect reference counting logic within the zcrypt subsystem, particularly in the zcrypt_card_put function which is responsible for decrementing reference counts and eventually freeing card objects. When the reference count drops to zero, the kernel frees the zcrypt_card structure, but due to the flawed reference handling, this can occur while the object is still referenced elsewhere in the system. The kernel's slab allocator messages clearly show the allocation trace from zcrypt_card_alloc and the subsequent free trace from zcrypt_card_put, demonstrating a clear temporal mismatch between object usage and deallocation. The debug output reveals that objects are allocated in the zcrypt_card_alloc function and freed in zcrypt_card_put, with the slab memory management system detecting the inconsistency through redzone checking mechanisms.

This vulnerability presents significant operational risks within virtualized environments, particularly for systems relying on IBM z/Architecture cryptographic accelerators. The use-after-free condition can lead to system instability, potential privilege escalation, or denial-of-service scenarios when cryptographic operations are performed concurrently with hot-plug events. Attackers could potentially exploit this by triggering multiple hot-plug operations or by manipulating the timing of cryptographic operations to force the kernel into freeing objects while they remain referenced. The vulnerability is particularly concerning in KVM guest environments where dynamic device management is common, as it can be triggered through normal system operations involving crypto card hot-plugging.

Mitigation strategies should focus on applying the kernel patch that corrects the reference counting logic in the zcrypt subsystem. System administrators should ensure all affected systems are updated to kernel versions containing the fix, which addresses the improper reference handling in the zcrypt_card_put function. Additionally, monitoring systems for slab allocator warnings or memory corruption indicators can help detect exploitation attempts. The fix aligns with common security practices for reference counting vulnerabilities and maps to CWE-415, which addresses double free conditions and improper reference counting. From an ATT&CK perspective, this vulnerability could be leveraged in privilege escalation tactics or denial-of-service campaigns, particularly in virtualized environments where attackers have access to crypto card management interfaces. Organizations should implement robust patch management processes to ensure timely deployment of kernel updates, especially in mission-critical systems utilizing IBM z/Architecture cryptographic hardware.

Reservation

02/19/2024

Disclosure

05/01/2024

Moderation

accepted

CPE

ready

EPSS

0.00239

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!