CVE-2024-50135 – A race condition in the Linux kernel's NVMe PCI... (How to Fix)

Q: What is the severity of CVE-2024-50135?

CVE-2024-50135 has a CVSS score of 4.7 (MEDIUM). A race condition in the Linux kernel's NVMe PCI driver between reset operations and device disable functions could lead to invalid queue values being passed to hardware queue management. This affects systems using NVMe storage devices with the vulnerable kernel driver. The vulnerability requires local access to trigger.

📋 TL;DR

A race condition in the Linux kernel's NVMe PCI driver between reset operations and device disable functions could lead to invalid queue values being passed to hardware queue management. This affects systems using NVMe storage devices with the vulnerable kernel driver. The vulnerability requires local access to trigger.

💻 Affected Systems

Products:

Linux kernel

Versions: Specific kernel versions with the vulnerable nvme-pci driver code (check git commits for exact ranges)

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with NVMe PCIe storage devices. Requires concurrent reset and disable operations on the same NVMe device.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic or system crash due to invalid hardware queue configuration, leading to denial of service and potential data corruption on NVMe storage devices.

🟠

Likely Case

System instability or crash when NVMe device resets occur concurrently with device disable operations, causing temporary service disruption.

🟢

If Mitigated

Minor performance impact during NVMe operations with proper locking preventing the race condition.

🌐 Internet-Facing: LOW - Requires local system access and specific NVMe operations to trigger.

🏢 Internal Only: MEDIUM - Internal systems with NVMe storage could experience crashes if malicious local users trigger the race condition.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Requires local access and ability to trigger specific NVMe operations simultaneously. Race conditions are difficult to reliably exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions containing commits 26bc0a81f64ce00fc4342c38eeb2eddaad084dd2, 4ed32cc0939b64e3d7b48c8c0d63ea038775f304, or b33e49a5f254474b33ce98fd45dd0ffdc247a0be

Vendor Advisory: https://git.kernel.org/stable/c/26bc0a81f64ce00fc4342c38eeb2eddaad084dd2

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version from your distribution. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.

🔧 Temporary Workarounds

Avoid concurrent NVMe operations

linux

Prevent simultaneous reset and disable operations on NVMe devices through operational controls

🧯 If You Can't Patch

Restrict local user access to systems with NVMe storage
Monitor system logs for NVMe reset/disable operations and investigate concurrent occurrences

🔍 How to Verify

Check if Vulnerable:

Check kernel version and compare with patched versions from kernel git commits. Examine if system has NVMe devices with 'lspci | grep -i nvme'

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version after update matches patched version. Check dmesg for NVMe-related warnings after system operations.

📡 Detection & Monitoring

Log Indicators:

Kernel warnings about pci_irq_get_affinity
NVMe reset workqueue errors
System crash logs mentioning nvme_reset_work

SIEM Query:

source="kernel" AND ("pci_irq_get_affinity" OR "nvme_reset_work" OR "WARNING: CPU")

📊 Metadata

CVE ID: CVE-2024-50135

CVSS v3 Score: 4.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-362

Published: November 5, 2024

Last Updated: October 1, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-50135, you might also want to check these: