CVE-2024-26894

CVE Details

Release Date:

2024-04-17

Description

In the Linux kernel, the following vulnerability has been resolved:\nACPI: processor_idle: Fix memory leak in acpi_processor_power_exit()\nAfter unregistering the CPU idle device, the memory associated with\nit is not freed, leading to a memory leak:\nunreferenced object 0xffff896282f6c000 (size 1024):\ncomm 'swapper/0', pid 1, jiffies 4294893170\nhex dump (first 32 bytes):\n00 00 00 00 0b 00 00 00 00 00 00 00 00 00 00 00 ................\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\nbacktrace (crc 8836a742):\n[] kmalloc_trace+0x29d/0x340\n[] acpi_processor_power_init+0xf3/0x1c0\n[] __acpi_processor_start+0xd3/0xf0\n[] acpi_processor_start+0x2c/0x50\n[] really_probe+0xe2/0x480\n[] __driver_probe_device+0x78/0x160\n[] driver_probe_device+0x1f/0x90\n[] __driver_attach+0xce/0x1c0\n[] bus_for_each_dev+0x70/0xc0\n[] bus_add_driver+0x112/0x210\n[] driver_register+0x55/0x100\n[] acpi_processor_driver_init+0x3b/0xc0\n[] do_one_initcall+0x41/0x300\n[] kernel_init_freeable+0x320/0x470\n[] kernel_init+0x16/0x1b0\n[] ret_from_fork+0x2d/0x50\nFix this by freeing the CPU idle device after unregistering it.

See more information about CVE-2024-26894 from MITRE CVE dictionary and NIST NVD

NOTE: The following CVSS metrics and score provided are preliminary and subject to review.

CVSS v3 metrics

Base Score:	6.0
Vector String:	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H
Version:	3.1
Attack Vector:	Local
Attack Complexity:	Low
Privileges Required:	High
User Interaction:	None
Scope:	Unchanged
Confidentiality:	High
Integrity:	None
Availability:	High

Errata information

Platform	Errata	Release Date
Oracle Linux version 6 (kernel-uek)	ELSA-2024-12851	2024-11-27
Oracle Linux version 7 (kernel-uek)	ELSA-2024-12851	2024-11-27
Oracle Linux version 8 (kernel)	ELSA-2024-7000	2024-09-24
Oracle Linux version 9 (kernel)	ELSA-2024-9315	2024-11-14
Oracle VM version 3 (kernel-uek)	OVMSA-2024-0016	2024-12-03