CVE-2024-36026 in Linuxinfo

Summary

by MITRE • 05/30/2024

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/pm: fixes a random hang in S4 for SMU v13.0.4/11

While doing multiple S4 stress tests, GC/RLC/PMFW get into an invalid state resulting into hard hangs.

Adding a GFX reset as workaround just before sending the MP1_UNLOAD message avoids this failure.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 09/30/2025

The vulnerability CVE-2024-36026 represents a critical power management issue within the Linux kernel's AMD graphics driver subsystem, specifically affecting the System Sleep State 4 (S4) functionality. This vulnerability manifests as random system hangs during suspend-to-ram operations, which are commonly referred to as S4 transitions in the Linux power management framework. The issue occurs when the system attempts to enter deep sleep states, particularly affecting systems equipped with AMD graphics hardware where the power management firmware operates under the SMU (System Management Unit) version 13.0.4/11. During multiple stress tests of the S4 functionality, the graphics command processor (GC), ring local controller (RLC), and power management firmware (PMFW) components all become corrupted or enter invalid operational states that result in complete system lockups.

The technical root cause of this vulnerability lies in the improper handling of the power management transition sequence within the AMD display driver subsystem. The Linux kernel's drm/amd/pm component manages the communication between the operating system and the AMD graphics hardware's power management unit, which controls the various subsystems including the graphics core, memory controller, and other related components. When the system attempts to transition to S4 state, the sequence of operations involving the MP1_UNLOAD message fails to properly initialize or reset the graphics hardware components before sending this critical command. This race condition or state management failure causes the hardware subsystems to remain in inconsistent states, leading to the hard hangs that characterize this vulnerability.

The operational impact of CVE-2024-36026 extends beyond simple system instability, as it affects the reliability and usability of Linux-based systems in enterprise and consumer environments where suspend-to-ram functionality is frequently utilized. Users may experience complete system freezes during power management operations, potentially resulting in data loss, system corruption, or forced hard reboots. This vulnerability particularly impacts laptops, servers, and embedded systems that rely on proper power state transitions for energy efficiency and user experience. The random nature of the hang makes this vulnerability difficult to reproduce consistently, which complicates both testing and mitigation efforts. According to the Common Weakness Enumeration (CWE) catalog, this vulnerability aligns with CWE-691, which describes insufficient control flow management, and CWE-754, indicating weakness in resource management that can lead to system instability and potential denial of service conditions.

The mitigation strategy implemented by the Linux kernel developers involves adding a graphics hardware reset operation immediately before sending the MP1_UNLOAD message, effectively serving as a workaround to prevent the invalid state conditions that cause the system hangs. This approach addresses the issue by ensuring that all graphics subsystems are properly reset and synchronized before attempting the power management transition. The fix demonstrates a defensive programming pattern that aligns with the ATT&CK framework's concept of privilege escalation through system-level operations, as it addresses a vulnerability that could potentially be exploited to cause system instability or denial of service. The solution operates at the kernel level within the display driver subsystem, specifically targeting the power management communication sequence between the OS and the AMD hardware, and represents a targeted fix that minimizes performance impact while maximizing system stability. This vulnerability resolution highlights the complex interdependencies between operating system power management frameworks and hardware-specific firmware implementations, particularly in modern graphics processing units where multiple subsystems must coordinate during power state transitions.

Reservation

05/17/2024

Disclosure

05/30/2024

Moderation

accepted

CPE

ready

EPSS

0.00222

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!