CVE CyberSecurity Database News

CVE-2024-26894 - Memory Leak in Linux Kernel’s ACPI Processor Idle – Explained and Exploited

Poster -

A new vulnerability — CVE-2024-26894 — was identified and fixed in the Linux kernel. This security flaw occurs in the *Advanced Configuration and Power Interface* (ACPI) subsystem, specifically in processor_idle code. The bug can lead to a memory leak during CPU idle device unregistration, potentially causing system performance issues or even system crashes under certain circumstances. This post explains the vulnerability in simple terms, demonstrates (with code) what caused the bug, and explores possible exploitation routes.

What is the Issue?

In Linux, ACPI is responsible for power management tasks, including managing CPU idle states. The function acpi_processor_power_exit() is supposed to clean up and free memory tied to CPU idle devices. In the buggy implementation, after the CPU idle device was removed from the system, its associated memory was *not* freed. As a result, you’d end up with leaking kernel memory every time a CPU was removed or offlined.

Memory leaks in the kernel are dangerous: over time, they can sap resources and slow down or destabilize a system, especially on servers with a lot of CPU hotplug events.

The kernel memory allocator (kmalloc) reserves memory for the CPU idle device like so

void *dev = kmalloc(sizeof(struct cpuidle_device), GFP_KERNEL);

This dev is then passed through the driver setup, but when the CPU is offlined (and thus the idle device is unregistered), its memory is *not* released. Repeated offline/online cycles amplify the leak.

The backtrace provides a detailed lineage of the affected allocation

unreferenced object xffff896282f6c000 (size 1024):
  comm "swapper/", pid 1, jiffies 429489317
  ...
  backtrace (crc 8836a742):
    [<ffffffff993495ed>] kmalloc_trace+x29d/x340
    [<ffffffff9972f3b3>] acpi_processor_power_init+xf3/x1c
    ...

The Vulnerable Code

The culprit was in drivers/acpi/processor_idle.c — look at how the unregistration and cleanup routine missed freeing memory:

void acpi_processor_power_exit(struct acpi_processor *pr)
{
    if (pr->cpuidle_dev) {
        cpuidle_unregister_device(pr->cpuidle_dev);
        // BUG: forgot to free(pr->cpuidle_dev);
        pr->cpuidle_dev = NULL;
    }
}

See the problem? Only the device was unregistered, *not* freed!

The fix is to explicitly kfree() the memory after unregistering

void acpi_processor_power_exit(struct acpi_processor *pr)
{
    if (pr->cpuidle_dev) {
        cpuidle_unregister_device(pr->cpuidle_dev);
        kfree(pr->cpuidle_dev);   // <== FIXED!
        pr->cpuidle_dev = NULL;
    }
}

Source Reference:
Linux Kernel Patch

Possible Exploitation

This isn’t a direct privilege escalation, RCE, or information disclosure bug. But, it *is* abusable:

Denial-of-Service (DoS):

Any local user who can trigger CPU offline/online events (such as by echoing CPU IDs to /sys/devices/system/cpu/cpuX/online) could force repeated leaks, slowly exhausting kernel memory.

Persistent Degradation:

On cloud servers, orchestrators that perform frequent CPU hotplugging would eventually face system instability.

Exploit Example:
A user with privileges can repeatedly offline/online a CPU, watching /proc/slabinfo grow as memory is never reclaimed.

# Bash one-liner: Repeatedly offline/online CPU1 (as root!)
while true; do
  echo  > /sys/devices/system/cpu/cpu1/online
  echo 1 > /sys/devices/system/cpu/cpu1/online
done

Monitor memory use during this cycle to spot the leak.


## How to Detect/Prevent?

Kernel Upgrade:

Most importantly, upgrade your kernel version to one with the patch included (5.15+, 6.x trees updated in March 2024).

Detection:

Use tools like kmemleak and monitor /proc/slabinfo for unexpected growth.

Conclusion

CVE-2024-26894 shows how a simple oversight — a missing kfree() — in a rarely examined codepath, can put entire systems at risk of failure over time. While not actively exploited in the wild (yet), DoS bugs like this are low-hanging fruit for both insiders and attackers with local access. Make sure your Linux kernel is up to date, audit similar driver code, and be alert to the “silent failures” of memory leaks.

References

- CVE-2024-26894 at NVD
- Linux kernel ACPI Patch Commit
- LWN Coverage
- CPU Hotplug in Linux – Explainer (kernel.org)

Timeline

Published on: 04/17/2024 11:15:10 UTC
Last modified on: 11/01/2024 08:35:09 UTC