{"timestamp":"2025-10-01T18:00:39.275223Z","id":"CVE-2024-26670","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}

[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["arch/arm64/kernel/entry.S"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"471470bc7052d28ce125901877dd10e4c048e513","lessThan":"58eb5c07f41704464b9acc09ab0707b6769db6c0","versionType":"git","status":"affected"},{"version":"471470bc7052d28ce125901877dd10e4c048e513","lessThan":"baa0aaac16432019651e0d60c41cd34a0c3c3477","versionType":"git","status":"affected"},{"version":"471470bc7052d28ce125901877dd10e4c048e513","lessThan":"832dd634bd1b4e3bbe9f10b9c9ba5db6f6f2b97f","versionType":"git","status":"affected"},{"version":"6e3ae2927b432a3b7c8374f14dbc1bd9ebe4372c","versionType":"git","status":"affected"},{"version":"32b0a4ffcaea44a00a61e40c0d1bcc50362aee25","versionType":"git","status":"affected"},{"version":"6.1.57","lessThan":"6.2","versionType":"semver","status":"affected"},{"version":"6.5.7","lessThan":"6.6","versionType":"semver","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["arch/arm64/kernel/entry.S"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.6","status":"affected"},{"version":"0","lessThan":"6.6","versionType":"semver","status":"unaffected"},{"version":"6.6.15","lessThanOrEqual":"6.6.*","versionType":"semver","status":"unaffected"},{"version":"6.7.3","lessThanOrEqual":"6.7.*","versionType":"semver","status":"unaffected"},{"version":"6.8","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]

AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-787

AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-787

OR
          *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.7 from (excluding) 6.7.3
          *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.6 from (excluding) 6.6.15

CVE: https://git.kernel.org/stable/c/58eb5c07f41704464b9acc09ab0707b6769db6c0 Types: Patch

CVE: https://git.kernel.org/stable/c/832dd634bd1b4e3bbe9f10b9c9ba5db6f6f2b97f Types: Patch

CVE: https://git.kernel.org/stable/c/baa0aaac16432019651e0d60c41cd34a0c3c3477 Types: Patch

kernel.org: https://git.kernel.org/stable/c/58eb5c07f41704464b9acc09ab0707b6769db6c0 Types: Patch

kernel.org: https://git.kernel.org/stable/c/832dd634bd1b4e3bbe9f10b9c9ba5db6f6f2b97f Types: Patch

kernel.org: https://git.kernel.org/stable/c/baa0aaac16432019651e0d60c41cd34a0c3c3477 Types: Patch

https://git.kernel.org/stable/c/58eb5c07f41704464b9acc09ab0707b6769db6c0

https://git.kernel.org/stable/c/832dd634bd1b4e3bbe9f10b9c9ba5db6f6f2b97f

https://git.kernel.org/stable/c/baa0aaac16432019651e0d60c41cd34a0c3c3477

In the Linux kernel, the following vulnerability has been resolved:

arm64: entry: fix ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD

Currently the ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD workaround isn't
quite right, as it is supposed to be applied after the last explicit
memory access, but is immediately followed by an LDR.

The ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD workaround is used to
handle Cortex-A520 erratum 2966298 and Cortex-A510 erratum 3117295,
which are described in:

* https://developer.arm.com/documentation/SDEN2444153/0600/?lang=en
* https://developer.arm.com/documentation/SDEN1873361/1600/?lang=en

In both cases the workaround is described as:

| If pagetable isolation is disabled, the context switch logic in the
| kernel can be updated to execute the following sequence on affected
| cores before exiting to EL0, and after all explicit memory accesses:
|
| 1. A non-shareable TLBI to any context and/or address, including
|    unused contexts or addresses, such as a `TLBI VALE1 Xzr`.
|
| 2. A DSB NSH to guarantee completion of the TLBI.

The important part being that the TLBI+DSB must be placed "after all
explicit memory accesses".

Unfortunately, as-implemented, the TLBI+DSB is immediately followed by
an LDR, as we have:

| alternative_if ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD
| 	tlbi	vale1, xzr
| 	dsb	nsh
| alternative_else_nop_endif
| alternative_if_not ARM64_UNMAP_KERNEL_AT_EL0
| 	ldr	lr, [sp, #S_LR]
| 	add	sp, sp, #PT_REGS_SIZE		// restore sp
| 	eret
| alternative_else_nop_endif
|
| [ ... KPTI exception return path ... ]

This patch fixes this by reworking the logic to place the TLBI+DSB
immediately before the ERET, after all explicit memory accesses.

The ERET is currently in a separate alternative block, and alternatives
cannot be nested. To account for this, the alternative block for
ARM64_UNMAP_KERNEL_AT_EL0 is replaced with a single alternative branch
to skip the KPTI logic, with the new shape of the logic being:

| alternative_insn "b .L_skip_tramp_exit_\@", nop, ARM64_UNMAP_KERNEL_AT_EL

kernel.org https://git.kernel.org/stable/c/58eb5c07f41704464b9acc09ab0707b6769db6c0 [No types assigned]

kernel.org https://git.kernel.org/stable/c/832dd634bd1b4e3bbe9f10b9c9ba5db6f6f2b97f [No types assigned]

kernel.org https://git.kernel.org/stable/c/baa0aaac16432019651e0d60c41cd34a0c3c3477 [No types assigned]