PatchSiren

PatchSiren cyber security CVE debrief

CVE-2024-26787 Linux CVE debrief

CVE-2024-26787 is a Linux kernel issue in the mmci/stm32 MMC DMA path where an error-handling branch could leave scatter-gather DMA mappings unbalanced. In affected builds, CONFIG_DMA_API_DEBUG_SG can report overlapping mappings and cacheline tracking warnings because dma_map_sg and dma_unmap_sg are not correctly paired on certain error paths. The issue was fixed in upstream/stable kernel patches referenced by NVD and downstream advisories.

Vendor
Linux
Product
CVE-2024-26787
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2024-04-04
Original CVE updated
2026-05-12
Advisory published
2024-04-04
Advisory updated
2026-05-12

Who should care

Linux kernel maintainers, distro kernel teams, and operators of systems using the mmci/pl18x STM32 MMC driver path are the primary audience. It matters most for environments running affected kernel branches on STM32-based hardware, especially if DMA API debug testing or MMC error conditions are part of validation.

Technical summary

The supplied CVE description says that when an error occurs in mmci_cmd_irq, only mmci_dma_error is called, but the STM32 variant does not manage the DMA API there, so dma_unmap_sg is never reached on that path. NVD links multiple kernel patch commits and lists affected Linux kernel ranges as 4.20 through before 5.10.213, 5.11 through before 5.15.152, 5.16 through before 6.1.81, 6.2 through before 6.6.21, 6.7 through before 6.7.9, and 6.8-rc1 through 6.8-rc6. The reported impact is availability-focused; the NVD vector is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.

Defensive priority

Medium. Prioritize patching if you ship or support affected Linux kernel branches on STM32/MMC hardware, because the flaw can surface as kernel warnings and resource-management problems in error paths.

Recommended defensive actions

  • Update to a kernel release that includes the referenced upstream/stable fixes for CVE-2024-26787.
  • Backport the relevant mmci/stm32 DMA error-path fix if you maintain a long-term kernel branch.
  • Verify that the error path in the STM32 mmci driver correctly balances dma_map_sg and dma_unmap_sg.
  • Test affected platforms with DMA API debug enabled to confirm the warning no longer appears after patching.
  • Track downstream vendor guidance for any distribution-specific backport or reboot requirements.

Evidence notes

This debrief is based on the supplied CVE description, NVD metadata, and linked kernel stable patch references. The description explicitly names the mmci: mmci: stm32 fix for DMA API overlapping mappings warning and states that an error path could skip dma_unmap_sg. NVD lists the CVSS vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H and provides multiple patch links plus a Debian LTS announcement; no exploit code or unsupported impact claims are used here.

Official resources

CVE published 2024-04-04T09:15:08.297Z. The supplied source was last modified by NVD on 2026-05-12T12:16:19.747Z; that modification date is not the issue date.