CVE-2024-43889: padata: Fix possible divide-by-0 panic in padata_mt_helper()
In the Linux kernel, the following vulnerability has been resolved:
padata: Fix possible divide-by-0 panic in padata_mt_helper()
We are hit with a not easily reproducible divide-by-0 panic in padata.c at
bootup time.
[ 10.017908] Oops: divide error: 0000 1 PREEMPT SMP NOPTI
[ 10.017908] CPU: 26 PID: 2627 Comm: kworker/u1666:1 Not tainted 6.10.0-15.el10.x86_64 #1
[ 10.017908] Hardware name: Lenovo ThinkSystem SR950 [7X12CTO1WW]/[7X12CTO1WW], BIOS [PSE140J-2.30] 07/20/2021
[ 10.017908] Workqueue: events_unbound padata_mt_helper
[ 10.017908] RIP: 0010:padata_mt_helper+0x39/0xb0
:
[ 10.017963] Call Trace:
[ 10.017968] <TASK>
[ 10.018004] ? padata_mt_helper+0x39/0xb0
[ 10.018084] process_one_work+0x174/0x330
[ 10.018093] worker_thread+0x266/0x3a0
[ 10.018111] kthread+0xcf/0x100
[ 10.018124] ret_from_fork+0x31/0x50
[ 10.018138] ret_from_fork_asm+0x1a/0x30
[ 10.018147] </TASK>
Looking at the padata_mt_helper() function, the only way a divide-by-0
panic can happen is when ps->chunk_size is 0. The way that chunk_size is
initialized in padata_do_multithreaded(), chunk_size can be 0 when the
min_chunk in the passed-in padata_mt_job structure is 0.
Fix this divide-by-0 panic by making sure that chunk_size will be at least
1 no matter what the input parameters are.
Security readout for executives and security teams
Plain-English summary
CVE-2024-43889 is a Linux kernel reliability bug that can crash the system with a divide-by-zero panic in padata multithreaded work during boot. The public record describes a hard-to-reproduce boot-time panic, not data theft or remote code execution.
Executive priority
Treat this as an availability-risk kernel update, not an emergency exploitation event based on current evidence. Prioritize normal kernel patch cycles, with higher urgency for systems where unexpected boot failure would affect operations or recovery objectives.
Technical view
The flaw is in padata_mt_helper(). If padata_do_multithreaded() receives a padata_mt_job with min_chunk set to 0, ps->chunk_size can become 0, causing a divide-by-zero panic. Kernel stable commits ensure chunk_size is at least 1.
Likely exposure
Exposure is mainly Linux systems running affected kernel versions or vendor products incorporating those kernels. The bundle also cites Debian LTS and Siemens advisories, so appliance and embedded Linux deployments should be checked through vendor guidance.
Exploitation context
The source bundle does not identify active exploitation, public weaponization, or KEV listing. The described failure was observed as a difficult-to-reproduce boot-time kernel panic, suggesting availability impact when the vulnerable code path is reached.
Researcher notes
Evidence is limited to the CVE record, Linux stable fixes, and vendor advisories. No CVSS, CWE, exploit status, or detailed affected product matrix is provided in the bundle beyond Linux kernel version information and cited vendor notices.
Mitigation direction
Apply kernel or distribution updates containing the referenced stable fixes.
Check Debian LTS advisories for package-specific fixed versions.
For Siemens products, follow the cited Siemens ProductCERT advisories.
If no vendor patch is available, request vendor guidance before relying on workarounds.
Plan reboot validation because the reported panic occurred during boot.
Validation and detection
Inventory Linux kernel versions across servers, appliances, and images.
Confirm installed kernels include the referenced stable commit or vendor backport.
Review boot logs for padata_mt_helper divide errors or kernel panics.
Check Debian and Siemens advisory applicability for managed products.
Verify updated systems boot cleanly after kernel deployment.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2024-43889 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.