CVE-2024-35926
📋 TL;DR
A memory leak vulnerability exists in the Linux kernel's IAA crypto driver where descriptors aren't properly freed during async_disable operations. This affects systems using Intel IAA hardware acceleration for compression/decompression. The vulnerability could lead to resource exhaustion over time.
💻 Affected Systems
- Linux kernel with IAA crypto driver enabled
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Sustained exploitation could cause kernel memory exhaustion leading to system instability, denial of service, or potential privilege escalation if combined with other vulnerabilities.
Likely Case
Gradual memory consumption leading to performance degradation and eventual system crashes or service disruptions in systems actively using IAA compression/decompression.
If Mitigated
Minimal impact with proper monitoring and resource limits in place, though memory usage would still be suboptimal.
🎯 Exploit Status
Requires local access and ability to trigger IAA compression/decompression operations. Exploitation would need to repeatedly trigger the vulnerable code path.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patches available in stable kernel branches (commits 262534ddc88dfea7474ed18adfecf856e4fbe054 and d994f7d77aaded05dc05af58a2720fd4f4b72a83)
Vendor Advisory: https://git.kernel.org/stable/c/262534ddc88dfea7474ed18adfecf856e4fbe054
Restart Required: Yes
Instructions:
1. Update to a patched kernel version from your distribution vendor. 2. Reboot the system to load the new kernel. 3. Verify the fix is applied by checking kernel version.
🔧 Temporary Workarounds
Disable IAA crypto driver
linuxPrevent use of the vulnerable IAA hardware acceleration module
modprobe -r iaa_crypto
echo 'blacklist iaa_crypto' > /etc/modprobe.d/disable-iaa.conf
🧯 If You Can't Patch
- Monitor system memory usage and kernel logs for signs of memory exhaustion
- Limit or disable compression/decompression operations that use IAA hardware
🔍 How to Verify
Check if Vulnerable:
Check if IAA crypto module is loaded: lsmod | grep iaa_crypto. If loaded and using unpatched kernel, system is vulnerable.Check Version:
uname -rVerify Fix Applied:
Verify kernel version includes the fix commits or check with your distribution's security advisory. Confirm IAA operations work without memory growth.📡 Detection & Monitoring
Log Indicators:
- Kernel OOM (Out of Memory) messages
- Increasing memory usage in /proc/meminfo
- System performance degradation
Network Indicators:
- None - this is a local resource exhaustion vulnerability
SIEM Query:
Search for kernel logs containing 'Out of memory' or monitoring memory usage spikes on systems with IAA hardware