CVE-2024-26998 in Linux
Summary
by MITRE • 05/01/2024
In the Linux kernel, the following vulnerability has been resolved:
serial: core: Clearing the circular buffer before NULLifying it
The circular buffer is NULLified in uart_tty_port_shutdown() under the spin lock. However, the PM or other timer based callbacks may still trigger after this event without knowning that buffer pointer is not valid. Since the serial code is a bit inconsistent in checking the buffer state (some rely on the head-tail positions, some on the buffer pointer), it's better to have both aligned, i.e. buffer pointer to be NULL and head-tail possitions to be the same, meaning it's empty. This will prevent asynchronous calls to dereference NULL pointer as reported recently in 8250 case:
BUG: kernel NULL pointer dereference, address: 00000cf5 Workqueue: pm pm_runtime_work EIP: serial8250_tx_chars (drivers/tty/serial/8250/8250_port.c:1809) ... ? serial8250_tx_chars (drivers/tty/serial/8250/8250_port.c:1809) __start_tx (drivers/tty/serial/8250/8250_port.c:1551) serial8250_start_tx (drivers/tty/serial/8250/8250_port.c:1654) serial_port_runtime_suspend (include/linux/serial_core.h:667 drivers/tty/serial/serial_port.c:63) __rpm_callback (drivers/base/power/runtime.c:393) ? serial_port_remove (drivers/tty/serial/serial_port.c:50) rpm_suspend (drivers/base/power/runtime.c:447)
The proposed change will prevent ->start_tx() to be called during suspend on shut down port.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/06/2026
The vulnerability identified as CVE-2024-26998 resides within the Linux kernel's serial communication subsystem, specifically affecting the core serial driver functionality. This issue manifests as a race condition involving circular buffer management during port shutdown operations, creating potential for kernel NULL pointer dereferences that could lead to system instability or crashes. The problem primarily affects the 8250 serial driver implementation where asynchronous operations may attempt to access memory locations that have already been invalidated during the shutdown process. The vulnerability demonstrates a classic timing issue where the kernel's serial subsystem fails to properly synchronize buffer state management between different execution contexts, particularly during power management operations.
The technical flaw stems from the improper sequence of operations within the uart_tty_port_shutdown() function where the circular buffer pointer is set to NULL while holding a spin lock, but subsequent power management or timer-based callbacks may still execute and attempt to access the buffer without proper validation. This inconsistency in buffer state checking creates a window where some code paths rely on head-tail position comparisons while others depend on buffer pointer validity, leading to potential dereference of invalid memory addresses. The specific error pattern shows the kernel attempting to call serial8250_tx_chars function which then dereferences a NULL pointer at address 00000cf5, occurring during a pm_runtime_work workqueue execution. This represents a fundamental synchronization issue where the shutdown process does not adequately prevent asynchronous execution paths from accessing already freed resources.
The operational impact of this vulnerability extends beyond simple system crashes to potentially compromise system stability during critical power management operations. When a serial port enters shutdown state during system suspend operations, the asynchronous nature of power management callbacks can trigger execution paths that assume buffer validity while the buffer has already been NULLified. This creates a scenario where legitimate kernel operations attempt to access freed memory, resulting in kernel oops and system termination. The vulnerability particularly affects systems with active serial communications where power management features are enabled, making it relevant to embedded systems, servers, and devices that rely on serial interfaces for communication or debugging purposes. The reported crash pattern indicates this vulnerability can be triggered during normal system operation, not just during abnormal conditions.
The mitigation strategy implemented addresses this by ensuring both buffer pointer state and head-tail position synchronization during shutdown operations, effectively clearing the circular buffer contents before NULLifying the pointer reference. This approach aligns with the principle of defensive programming and proper resource cleanup in concurrent environments. The fix prevents the ->start_tx() function from being called during suspend operations on shutdown ports, thereby eliminating the race condition between the shutdown process and asynchronous power management callbacks. This solution adheres to established kernel development practices for managing concurrent access to shared resources and follows the ATT&CK framework's concept of privilege escalation through kernel-level vulnerabilities. The fix demonstrates proper handling of the CWE-362 (Concurrent Execution using Shared Resource with Unprotected Race Condition) pattern by ensuring proper synchronization between different execution contexts. The implementation maintains kernel stability while preserving the intended functionality of serial communication during normal operations, preventing the kernel from attempting to dereference invalid memory addresses during asynchronous power management operations.