In the Linux kernel, the following vulnerability has been resolved:
IB/hfi1: Fix sdma.h tx->num_descs off-by-one error
Unfortunately the commit `fd8958efe877` introduced another error
causing the `descs` array to overflow. This reults in further crashes
easily reproducible by `sendmsg` system call.
[ 1080.836473] general protection fault, probably for non-canonical address 0x400300015528b00a: 0000 [#1] PREEMPT SMP PTI
[ 1080.869326] RIP: 0010:hfi1_ipoib_build_ib_tx_headers.constprop.0+0xe1/0x2b0 [hfi1]
--
[ 1080.974535] Call Trace:
[ 1080.976990] <TASK>
[ 1081.021929] hfi1_ipoib_send_dma_common+0x7a/0x2e0 [hfi1]
[ 1081.027364] hfi1_ipoib_send_dma_list+0x62/0x270 [hfi1]
[ 1081.032633] hfi1_ipoib_send+0x112/0x300 [hfi1]
[ 1081.042001] ipoib_start_xmit+0x2a9/0x2d0 [ib_ipoib]
[ 1081.046978] dev_hard_start_xmit+0xc4/0x210
--
[ 1081.148347] __sys_sendmsg+0x59/0xa0
crash> ipoib_txreq 0xffff9cfeba229f00
struct ipoib_txreq {
txreq = {
list = {
next = 0xffff9cfeba229f00,
prev = 0xffff9cfeba229f00
},
descp = 0xffff9cfeba229f40,
coalesce_buf = 0x0,
wait = 0xffff9cfea4e69a48,
complete = 0xffffffffc0fe0760 <hfi1_ipoib_sdma_complete>,
packet_len = 0x46d,
tlen = 0x0,
num_desc = 0x0,
desc_limit = 0x6,
next_descq_idx = 0x45c,
coalesce_idx = 0x0,
flags = 0x0,
descs = {{
qw = {0x8024000120dffb00, 0x4} # SDMA_DESC0_FIRST_DESC_FLAG (bit 63)
}, {
qw = { 0x3800014231b108, 0x4}
}, {
qw = { 0x310000e4ee0fcf0, 0x8}
}, {
qw = { 0x3000012e9f8000, 0x8}
}, {
qw = { 0x59000dfb9d0000, 0x8}
}, {
qw = { 0x78000e02e40000, 0x8}
}}
},
sdma_hdr = 0x400300015528b000, <<< invalid pointer in the tx request structure
sdma_status = 0x0, SDMA_DESC0_LAST_DESC_FLAG (bit 62)
complete = 0x0,
priv = 0x0,
txq = 0xffff9cfea4e69880,
skb = 0xffff9d099809f400
}
If an SDMA send consists of exactly 6 descriptors and requires dword
padding (in the 7th descriptor), the sdma_txreq descriptor array is not
properly expanded and the packet will overflow into the container
structure. This results in a panic when the send completion runs. The
exact panic varies depending on what elements of the container structure
get corrupted. The fix is to use the correct expression in
_pad_sdma_tx_descs() to test the need to expand the descriptor array.
With this patch the crashes are no longer reproducible and the machine is
stable.
Security readout for executives and security teams
Plain-English summary
CVE-2024-26766 is a Linux kernel crash bug in the hfi1 InfiniBand driver. A descriptor counting error can overwrite adjacent kernel data during a specific send path, leading to kernel panic. Business impact is availability risk on systems using affected kernels and the hfi1/IPoIB functionality.
Executive priority
Treat as a targeted availability issue, not a broad internet-facing emergency from the provided evidence. Prioritize HPC, research, storage, or specialized networking environments that use hfi1/IPoIB, then handle through normal kernel patch governance.
Technical view
The bug is an off-by-one error in hfi1 SDMA transmit descriptor handling. When a send uses exactly six descriptors and needs padding, the descriptor array is not expanded before a seventh descriptor is written, corrupting the containing structure and causing crashes during send completion.
Likely exposure
Exposure appears limited to Linux systems running affected kernel versions with the hfi1 driver and IPoIB/SDMA send path in use. General Linux hosts without this hardware or driver path are less likely to be affected based on the provided sources.
Exploitation context
The source states crashes were easily reproducible through the sendmsg system call, but provides no KEV listing and no cited evidence of active exploitation. The available evidence supports denial-of-service impact through kernel panic, not proven code execution.
Researcher notes
The CVE data does not provide CVSS, CWE, or CPE detail. The strongest technical evidence is the kernel commit narrative describing descriptor overflow, structure corruption, and panic reproducibility. Validate exposure by kernel version and driver usage, not by Linux presence alone.
Mitigation direction
Update to a vendor kernel containing the referenced stable hfi1 fixes.
Apply Debian LTS kernel updates where those advisories match deployed systems.
Reboot after kernel update so the fixed kernel is actually running.
Check kernel.org and distribution guidance for supported fixed versions.
Prioritize systems using hfi1, InfiniBand, Omni-Path, or IPoIB networking.
Validation and detection
Inventory running kernel versions on systems using hfi1 or IPoIB.
Confirm whether the hfi1 module is present, loaded, or required.
Verify the deployed kernel includes the referenced stable fix commit.
Review crash logs for hfi1, ipoib, SDMA, or send completion panics.
Confirm patched systems have rebooted into the updated kernel.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
description · low confidence lookup
Container behavior lookup
The affected technology mentions containers, so container-specific ATT&CK technique review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.