PatchSiren

PatchSiren cyber security CVE debrief

CVE-2024-26812 Linux CVE debrief

CVE-2024-26812 is a Linux kernel VFIO/PCI issue in INTx interrupt handling. The supplied NVD record describes a path where the INTx eventfd could be deconfigured, unregistering the IRQ handler while later irqfd or SET_IRQS paths could still signal an eventfd with a NULL context. The published fix changes how the INTx handler is managed and adds synchronization so the trigger can be updated safely while interrupts or irqfd callbacks are in flight. The practical impact is denial of service on affected kernels.

Vendor
Linux
Product
CVE-2024-26812
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2024-04-05
Original CVE updated
2026-05-12
Advisory published
2024-04-05
Advisory updated
2026-05-12

Who should care

Linux administrators, virtualization and cloud operators, and anyone running VFIO PCI passthrough or other INTx-dependent device assignment on affected Linux kernel versions. Kernel maintainers and distro security teams should also review backported fixes and vendor advisories.

Technical summary

NVD lists this as a local, low-privilege Linux kernel flaw with availability impact only (CVSS 5.5, AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). The issue is in vfio/pci INTx interrupt handling: if the eventfd used for INTx signaling is deconfigured, the IRQ handler can be unregistered while asynchronous irqfd-related paths may still invoke eventfd signaling with a NULL context. The fix, as described in the kernel patch references, moves INTx interrupt handler configuration to the lifetime of the INTx context object and irq_type configuration, and adds synchronization between the ioctl path and the eventfd_signal() wrapper.

Defensive priority

Medium. The vulnerability requires local access and affects availability rather than confidentiality or integrity, but it touches core kernel VFIO paths and should be patched promptly on systems that use VFIO or device passthrough.

Recommended defensive actions

  • Update Linux kernels to versions that include the fix or vendor backports. NVD's affected-version ranges end before 6.1.84, 6.6.24, 6.7.12, and 6.8.3.
  • If you use a distribution kernel, verify the vendor has backported the fix rather than relying only on upstream version numbers.
  • Prioritize remediation on hosts that expose VFIO/PCI passthrough to tenants, untrusted users, or automation that can interact with device assignment.
  • Review whether INTx-based device assignment is in use; if not, still plan routine kernel maintenance, but this CVE is lower operational priority.
  • Track downstream security advisories for your distribution, especially if you run Debian 10, which is listed as affected in the supplied NVD data.

Evidence notes

This debrief is based on the supplied NVD CVE record and the linked kernel.org stable patch references. The CVE was published on 2024-04-05 and later modified on 2026-05-12 in the supplied data. NVD classifies it as CWE-476 (NULL Pointer Dereference) with CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The supplied CPE criteria identify affected Linux kernel ranges and Debian 10.0, while the patch references indicate the issue was fixed across multiple stable kernel branches. Additional downstream references are listed in the NVD metadata.

Official resources

Publicly disclosed in the supplied NVD record on 2024-04-05T09:15:09.283Z; later modified on 2026-05-12T12:16:20.167Z.