What is CVE-2024-26761?

CVE-2024-26761 is a Medium severity Linux kernel vulnerability with a CVSS score of 5.5 out of 10. CVE-2024-26761 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2024-26761?

CVE-2024-26761 has a CVSS score of 5.5 out of 10, rated Medium severity. The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.

Is there a patch available for CVE-2024-26761?

No patch is currently available for CVE-2024-26761. Monitor the NIST NVD and your Linux distribution's security advisories for updates.

Is CVE-2024-26761 actively exploited?

CVE-2024-26761 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2024-26761

Medium

In the Linux kernel, the following vulnerability has been resolved: cxl/pci: Fix disabling memory if DVSEC CXL Range does not match a CFMWS window The Linux CXL subsystem is built on the assumption that HPA == SPA. That is, the host physical address (HPA) the HDM decoder registers are programmed with are system physical addresses (SPA). During HDM decoder setup, the DVSEC CXL range registers (cxl-3.1, 8.1.3.8) are checked if the memory is enabled and the CXL range is in a HPA window that is described in a CFMWS structure of the CXL host bridge (cxl-3.1, 9.18.1.3). Now, if the HPA is not an SPA, the CXL range does not match a CFMWS window and the CXL memory range will be disabled then. The HDM decoder stops working which causes system memory being disabled and further a system hang during HDM decoder initialization, typically when a CXL enabled kernel boots. Prevent a system hang and do not disable the HDM decoder if the decoder's CXL range is not found in a CFMWS window. Note the change only fixes a hardware hang, but does not implement HPA/SPA translation. Support for this can be added in a follow on patch series.

Package Linux Kernel

Published 2024-04-03

Last modified 2025-03-17

CVSS version 3.1

Patch available

Awaiting data

CVSS 3.1 score

5.5

out of 10

Medium

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

High

Vector string

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

The following references provide additional information about CVE-2024-26761 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/031217128990d7f0ab8c46db1afb3cf1e075fd29
Patch
Kernel patch commit
https://git.kernel.org/stable/c/0cab687205986491302cd2e440ef1d253031c221
Patch
Kernel patch commit
https://git.kernel.org/stable/c/2cc1a530ab31c65b52daf3cb5d0883c8b614ea69
Patch

4 patch commits total View all on NVD

Details

CVE ID CVE-2024-26761

Severity Medium

CVSS score 5.5 / 10

CVSS version 3.1

Published 2024-04-03

Modified 2025-03-17

KEV No

Patch Awaiting data

Package linux

Frequently asked questions

What is CVE-2024-26761?

CVE-2024-26761 is a Medium severity Linux kernel vulnerability with a CVSS score of 5.5 out of 10 . CVE-2024-26761 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
What is the CVSS score for CVE-2024-26761?

CVE-2024-26761 has a CVSS score of 5.5 out of 10, rated Medium severity (CVSS 3.1). The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.
Is there a patch available for CVE-2024-26761?

No patch is currently available for CVE-2024-26761. Monitor the NIST NVD and your Linux distribution's security advisories for updates.
Is CVE-2024-26761 actively exploited?

No — CVE-2024-26761 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.