LiveActive security incident?Get immediate response
CVE Record

CVE-2024-26783: mm/vmscan: fix a bug calling wakeup_kswapd() with a wrong zone index

In the Linux kernel, the following vulnerability has been resolved: mm/vmscan: fix a bug calling wakeup_kswapd() with a wrong zone index With numa balancing on, when a numa system is running where a numa node doesn't have its local memory so it has no managed zones, the following oops has been observed. It's because wakeup_kswapd() is called with a wrong zone index, -1. Fixed it by checking the index before calling wakeup_kswapd(). > BUG: unable to handle page fault for address: 00000000000033f3 > #PF: supervisor read access in kernel mode > #PF: error_code(0x0000) - not-present page > PGD 0 P4D 0 > Oops: 0000 [#1] PREEMPT SMP NOPTI > CPU: 2 PID: 895 Comm: masim Not tainted 6.6.0-dirty #255 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS > rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 > RIP: 0010:wakeup_kswapd (./linux/mm/vmscan.c:7812) > Code: (omitted) > RSP: 0000:ffffc90004257d58 EFLAGS: 00010286 > RAX: ffffffffffffffff RBX: ffff88883fff0480 RCX: 0000000000000003 > RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88883fff0480 > RBP: ffffffffffffffff R08: ff0003ffffffffff R09: ffffffffffffffff > R10: ffff888106c95540 R11: 0000000055555554 R12: 0000000000000003 > R13: 0000000000000000 R14: 0000000000000000 R15: ffff88883fff0940 > FS: 00007fc4b8124740(0000) GS:ffff888827c00000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 00000000000033f3 CR3: 000000026cc08004 CR4: 0000000000770ee0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > PKRU: 55555554 > Call Trace: > <TASK> > ? __die > ? page_fault_oops > ? __pte_offset_map_lock > ? exc_page_fault > ? asm_exc_page_fault > ? wakeup_kswapd > migrate_misplaced_page > __handle_mm_fault > handle_mm_fault > do_user_addr_fault > exc_page_fault > asm_exc_page_fault > RIP: 0033:0x55b897ba0808 > Code: (omitted) > RSP: 002b:00007ffeefa821a0 EFLAGS: 00010287 > RAX: 000055b89983acd0 RBX: 00007ffeefa823f8 RCX: 000055b89983acd0 > RDX: 00007fc2f8122010 RSI: 0000000000020000 RDI: 000055b89983acd0 > RBP: 00007ffeefa821a0 R08: 0000000000000037 R09: 0000000000000075 > R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 > R13: 00007ffeefa82410 R14: 000055b897ba5dd8 R15: 00007fc4b8340000 > </TASK>

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2024-26783 is a Linux kernel reliability flaw. On certain NUMA systems with automatic NUMA balancing enabled, a memory-management path can call kernel reclaim code with an invalid zone index and trigger a kernel oops. The practical business concern is unexpected system crash or service disruption on affected Linux hosts.

Executive priority

Schedule remediation through normal kernel update cycles, with higher urgency for production NUMA systems where crashes would affect availability. There is no cited active exploitation, but kernel crashes can still cause business disruption.

Technical view

The flaw is in mm/vmscan: migrate_misplaced_page can reach wakeup_kswapd() with zone index -1 when a NUMA node has no managed local memory. The kernel fix adds an index check before wakeup_kswapd(). Public data lists Linux kernel affected ranges and stable kernel commits, but no CVSS or CWE.

Likely exposure

Exposure is most likely on Linux systems running affected kernel ranges with NUMA balancing enabled and NUMA nodes lacking local managed memory. General single-node or non-NUMA systems appear less likely to hit the reported crash condition based on the source description.

Exploitation context

The provided sources do not show active exploitation, and CISA KEV status is false. The evidence describes an observed kernel oops in a specific NUMA memory-management scenario, not a public weaponized exploit. Treat impact primarily as local denial of service until stronger evidence appears.

Researcher notes

Evidence is strongest for a narrow crash condition: NUMA balancing plus a memoryless NUMA node causing wakeup_kswapd() to receive -1. The public bundle lacks CVSS, CWE, exploitability detail, and complete downstream package mapping, so validate exposure against actual kernel source or vendor backports.

Mitigation direction

  • Update affected Linux kernels using vendor-supported packages or stable fixes.
  • Prioritize hosts with NUMA hardware, virtualization platforms, or unusual memory topology.
  • Review Debian LTS, Siemens, and relevant vendor advisories for packaged fixes.
  • If patching is delayed, ask the vendor about NUMA balancing risk reduction.
  • Track kernel versions against the referenced stable commit fixes.

Validation and detection

  • Inventory Linux kernel versions across servers, appliances, and embedded products.
  • Identify systems using NUMA balancing and NUMA nodes without local memory.
  • Confirm whether deployed kernels include the referenced stable commits or vendor backports.
  • Review system logs for kernel oops patterns involving wakeup_kswapd or migrate_misplaced_page.
  • Map affected third-party products against Siemens or other supplier advisories.
Prepared
Confidence
medium
Sources
8

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2024-26783 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
3ADP providers
7Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
CVECVE Program Container
siemens-SADPADP container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxc574bbe917036c8968b984c82c7b13194fe5ce98, c574bbe917036c8968b984c82c7b13194fe5ce98, c574bbe917036c8968b984c82c7b13194fe5ce98, c574bbe917036c8968b984c82c7b13194fe5ce98unaffected
LinuxLinux5.18, 0, 6.1.140, 6.6.22, 6.7.9, 6.8affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.