PatchSiren

PatchSiren cyber security CVE debrief

CVE-2024-26859 Linux CVE debrief

CVE-2024-26859 describes a race condition in the Linux kernel's bnx2x network driver that can surface during EEH error recovery and reset handling. In affected paths, transmit-timeout recovery and EEH slot reset logic can overlap while SGEs/page-pool pages are being freed, which can lead to access to freed memory and a system crash. NVD rates the issue as medium severity with local attack requirements and availability impact only.

Vendor
Linux
Product
CVE-2024-26859
CVSS
MEDIUM 4.7
CISA KEV
Not listed in stored evidence
Original CVE published
2024-04-17
Original CVE updated
2026-05-12
Advisory published
2024-04-17
Advisory updated
2026-05-12

Who should care

Linux administrators and platform owners running affected kernels with the bnx2x driver enabled, especially on systems where EEH or other error-recovery/reset paths may be exercised. Production hosts that depend on kernel availability should prioritize remediation even though the issue is local and high-complexity.

Technical summary

The vulnerability is a race condition (CWE-362) in bnx2x reset and teardown logic. The CVE description says bnx2x_tx_timeout() can schedule reset work that reaches bnx2x_nic_unload() and frees SGEs, while EEH recovery via bnx2x_io_slot_reset() may attempt to free the same resources concurrently. That overlap can leave sw_rx_page/page-pool state invalid and result in a NULL or freed-page access in bnx2x_free_rx_sge(). NVD lists vulnerable Linux kernel ranges including 4.2 before 4.19.311, 4.20 before 5.4.273, 5.5 before 5.10.214, 5.11 before 5.15.153, 5.16 before 6.1.83, 6.2 before 6.6.23, 6.7 before 6.7.11, and 6.8 before 6.8.2.

Defensive priority

Medium. The CVSS vector is AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H, so the main risk is kernel availability on affected hosts rather than code execution or data exposure. Prioritize if bnx2x is present in production or if the platform relies on EEH-driven recovery.

Recommended defensive actions

  • Identify hosts that load or depend on the bnx2x kernel driver.
  • Upgrade to a kernel version that includes the fix or apply your distribution's backport for CVE-2024-26859.
  • If you maintain an enterprise kernel stream, verify that the race-condition fix is present in your vendor patch set before scheduling maintenance.
  • Monitor for bnx2x-related kernel oopses, unexpected resets, and EEH recovery failures after remediation.
  • If a host does not use bnx2x, document it as not exposed to this CVE and exclude it from urgent patching.

Evidence notes

The CVE was published on 2024-04-17 and later modified by NVD on 2026-05-12. The supplied description states the bug is in Linux kernel net/bnx2x and involves a race during EEH error handling leading to access of a freed page in page_pool. NVD lists the weakness as CWE-362 and provides the affected kernel version ranges and CVSS 3.1 vector AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H. The supplied official references are kernel patch/stable links and the CVE/NVD records.

Official resources

Publicly published on 2024-04-17T11:15:08.893Z; NVD later modified the record on 2026-05-12T12:16:21.553Z. This debrief uses the published date for disclosure timing.