LiveActive security incident?Get immediate response
CVE Record

CVE-2024-26766: IB/hfi1: Fix sdma.h tx->num_descs off-by-one error

In the Linux kernel, the following vulnerability has been resolved: IB/hfi1: Fix sdma.h tx->num_descs off-by-one error Unfortunately the commit `fd8958efe877` introduced another error causing the `descs` array to overflow. This reults in further crashes easily reproducible by `sendmsg` system call. [ 1080.836473] general protection fault, probably for non-canonical address 0x400300015528b00a: 0000 [#1] PREEMPT SMP PTI [ 1080.869326] RIP: 0010:hfi1_ipoib_build_ib_tx_headers.constprop.0+0xe1/0x2b0 [hfi1] -- [ 1080.974535] Call Trace: [ 1080.976990] <TASK> [ 1081.021929] hfi1_ipoib_send_dma_common+0x7a/0x2e0 [hfi1] [ 1081.027364] hfi1_ipoib_send_dma_list+0x62/0x270 [hfi1] [ 1081.032633] hfi1_ipoib_send+0x112/0x300 [hfi1] [ 1081.042001] ipoib_start_xmit+0x2a9/0x2d0 [ib_ipoib] [ 1081.046978] dev_hard_start_xmit+0xc4/0x210 -- [ 1081.148347] __sys_sendmsg+0x59/0xa0 crash> ipoib_txreq 0xffff9cfeba229f00 struct ipoib_txreq { txreq = { list = { next = 0xffff9cfeba229f00, prev = 0xffff9cfeba229f00 }, descp = 0xffff9cfeba229f40, coalesce_buf = 0x0, wait = 0xffff9cfea4e69a48, complete = 0xffffffffc0fe0760 <hfi1_ipoib_sdma_complete>, packet_len = 0x46d, tlen = 0x0, num_desc = 0x0, desc_limit = 0x6, next_descq_idx = 0x45c, coalesce_idx = 0x0, flags = 0x0, descs = {{ qw = {0x8024000120dffb00, 0x4} # SDMA_DESC0_FIRST_DESC_FLAG (bit 63) }, { qw = { 0x3800014231b108, 0x4} }, { qw = { 0x310000e4ee0fcf0, 0x8} }, { qw = { 0x3000012e9f8000, 0x8} }, { qw = { 0x59000dfb9d0000, 0x8} }, { qw = { 0x78000e02e40000, 0x8} }} }, sdma_hdr = 0x400300015528b000, <<< invalid pointer in the tx request structure sdma_status = 0x0, SDMA_DESC0_LAST_DESC_FLAG (bit 62) complete = 0x0, priv = 0x0, txq = 0xffff9cfea4e69880, skb = 0xffff9d099809f400 } If an SDMA send consists of exactly 6 descriptors and requires dword padding (in the 7th descriptor), the sdma_txreq descriptor array is not properly expanded and the packet will overflow into the container structure. This results in a panic when the send completion runs. The exact panic varies depending on what elements of the container structure get corrupted. The fix is to use the correct expression in _pad_sdma_tx_descs() to test the need to expand the descriptor array. With this patch the crashes are no longer reproducible and the machine is stable.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2024-26766 is a Linux kernel crash bug in the hfi1 InfiniBand driver. A descriptor counting error can overwrite adjacent kernel data during a specific send path, leading to kernel panic. Business impact is availability risk on systems using affected kernels and the hfi1/IPoIB functionality.

Executive priority

Treat as a targeted availability issue, not a broad internet-facing emergency from the provided evidence. Prioritize HPC, research, storage, or specialized networking environments that use hfi1/IPoIB, then handle through normal kernel patch governance.

Technical view

The bug is an off-by-one error in hfi1 SDMA transmit descriptor handling. When a send uses exactly six descriptors and needs padding, the descriptor array is not expanded before a seventh descriptor is written, corrupting the containing structure and causing crashes during send completion.

Likely exposure

Exposure appears limited to Linux systems running affected kernel versions with the hfi1 driver and IPoIB/SDMA send path in use. General Linux hosts without this hardware or driver path are less likely to be affected based on the provided sources.

Exploitation context

The source states crashes were easily reproducible through the sendmsg system call, but provides no KEV listing and no cited evidence of active exploitation. The available evidence supports denial-of-service impact through kernel panic, not proven code execution.

Researcher notes

The CVE data does not provide CVSS, CWE, or CPE detail. The strongest technical evidence is the kernel commit narrative describing descriptor overflow, structure corruption, and panic reproducibility. Validate exposure by kernel version and driver usage, not by Linux presence alone.

Mitigation direction

  • Update to a vendor kernel containing the referenced stable hfi1 fixes.
  • Apply Debian LTS kernel updates where those advisories match deployed systems.
  • Reboot after kernel update so the fixed kernel is actually running.
  • Check kernel.org and distribution guidance for supported fixed versions.
  • Prioritize systems using hfi1, InfiniBand, Omni-Path, or IPoIB networking.

Validation and detection

  • Inventory running kernel versions on systems using hfi1 or IPoIB.
  • Confirm whether the hfi1 module is present, loaded, or required.
  • Verify the deployed kernel includes the referenced stable fix commit.
  • Review crash logs for hfi1, ipoib, SDMA, or send completion panics.
  • Confirm patched systems have rebooted into the updated kernel.
Prepared
Confidence
medium
Sources
12

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

description · low confidence lookup

Container behavior lookup

The affected technology mentions containers, so container-specific ATT&CK technique review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2024-26766 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
2ADP providers
11Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
CVECVE Program Container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxd1c1ee052d25ca23735eea912f843bc7834781b4, 40ac5cb6cbb01afa40881f78b4d2f559fb7065c4, 6cf8f3d690bb5ad31ef0f41a6206ecf5a068d179, bd57756a7e43c7127d0eca1fc5868e705fd0f7ba, eeaf35f4e3b360162081de5e744cf32d6d1b0091, fd8958efe8779d3db19c9124fce593ce681ac709, fd8958efe8779d3db19c9124fce593ce681ac709, fd8958efe8779d3db19c9124fce593ce681ac709, 0ef9594936d1f078e8599a1cf683b052df2bec00, 4.19.291, 5.4.251, 5.10.188, 5.15.99, 6.1.16, 6.2.3unaffected
LinuxLinux6.3, 0, 4.19.308, 5.4.270, 5.10.211, 5.15.150, 6.1.80, 6.6.19, 6.7.7, 6.8affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.