PatchSiren

PatchSiren cyber security CVE debrief

CVE-2024-26878 Linux CVE debrief

CVE-2024-26878 is a Linux kernel vulnerability in quota handling that can lead to a NULL pointer dereference during a race between inode quota teardown and quota-off processing. NVD lists impacted Linux kernel release ranges across multiple stable branches, and the kernel fix replaces the direct pointer use with a temporary reference to avoid the race window. The primary impact is availability, consistent with the published CVSS vector.

Vendor
Linux
Product
CVE-2024-26878
CVSS
MEDIUM 4.7
CISA KEV
Not listed in stored evidence
Original CVE published
2024-04-17
Original CVE updated
2026-05-12
Advisory published
2024-04-17
Advisory updated
2026-05-12

Who should care

Linux kernel maintainers, distribution security teams, and operators running affected kernel versions should care, especially where quota functionality is enabled and kernel crashes would be operationally significant.

Technical summary

The kernel report describes a race where dquot_free_inode (or related routines) can observe inode quota pointers as non-NULL, but quota_off can clear those pointers before the code later dereferences them. That check-then-use gap can produce a NULL pointer dereference and kernel oops. The cited fix uses a temporary pointer to keep a stable reference across the vulnerable sequence. NVD maps the issue to CWE-362 and CWE-476 and lists affected Linux kernel ranges including versions below 4.19.311, 4.20 through 5.4.273, 5.5 through 5.10.214, 5.11 through 5.15.153, 5.16 through 6.1.83, 6.2 through 6.6.23, 6.7 through 6.7.11, and 6.8 through 6.8.2.

Defensive priority

Medium. This is a local availability issue with broad kernel exposure, but the corpus does not indicate code execution or data integrity impact. Prioritize systems that rely on quota management and cannot tolerate kernel crashes.

Recommended defensive actions

  • Update to a kernel release that includes the upstream fix or the relevant vendor backport.
  • Apply your distribution's security advisory and confirm the patch is present in the shipped kernel package.
  • Check whether production systems run affected kernel branches listed by NVD and schedule remediation accordingly.
  • Validate that any custom or embedded Linux builds include the quota race fix before deployment.
  • Monitor for kernel oopses or crashes in quota-related paths until patched builds are fully deployed.

Evidence notes

Derived from the NVD record published 2024-04-17 and modified 2026-05-12, plus the kernel patch references linked in the record. The vulnerability description explicitly states a race leading to NULL pointer dereference and names the fix approach as using a temporary pointer. Version scope and weakness classifications come from the NVD CPE and CWE metadata.

Official resources

Publicly disclosed in the CVE record on 2024-04-17; NVD last modified the record on 2026-05-12. The included kernel fix references indicate remediation was published through upstream/stable patch links.