PatchSiren

PatchSiren cyber security CVE debrief

CVE-2024-27437 Linux CVE debrief

CVE-2024-27437 is a Linux kernel VFIO/pci issue in exclusive INTx interrupt handling. On devices that need masking at the irqchip and do not support DisINTx, the kernel could enable the IRQ during request_irq() and then disable it afterward to match the masked state. That brief window created a race: if the interrupt fired in between, the disable depth could be incremented twice and become unrecoverable for the user because vfio’s masked flag prevents nested enables. The fix in the kernel stable patch set changes the logic to use IRQF_NO_AUTOEN so exclusive INTx is never auto-enabled, and the IRQ is unmasked only when appropriate. The published CVE record lists the issue as medium severity with a local attack vector and high availability impact.

Vendor
Linux
Product
CVE-2024-27437
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2024-04-05
Original CVE updated
2026-05-12
Advisory published
2024-04-05
Advisory updated
2026-05-12

Who should care

Linux kernel maintainers, distribution security teams, and operators of VFIO PCI passthrough or other configurations that rely on exclusive INTx handling should care most. Systems running affected kernel versions, especially where passthrough devices lack DisINTx support, may be exposed to a local availability issue until patched.

Technical summary

The vulnerability is a race in vfio/pci interrupt setup for exclusive INTx. The kernel previously relied on request_irq() auto-enabling the IRQ and then synchronizing masked state afterward. For certain devices, that created a narrow timing window where an interrupt could arrive before the follow-up disable, causing the IRQ disable depth to be incremented twice. Because vfio’s masked flag blocks nested enables, the interrupt state could not be cleanly recovered. The upstream/stable fix inverts the control flow: IRQF_NO_AUTOEN prevents automatic enablement, and the interrupt is explicitly unmasked when needed. NVD marks affected Linux kernel ranges across multiple stable branches, with a separate Debian Linux 10.0 criterion also listed in the record.

Defensive priority

Medium. This is primarily an availability and reliability issue, but it affects core interrupt state in VFIO environments and can leave devices in an unrecoverable disabled-interrupt condition. Patch priority is higher for hosts using PCI passthrough or exclusive INTx with devices lacking DisINTx support.

Recommended defensive actions

  • Update to a kernel release that includes the stable fix for CVE-2024-27437.
  • If you maintain a downstream kernel, backport the vfio/pci IRQF_NO_AUTOEN change and validate it in your release branch.
  • Inventory hosts using VFIO PCI passthrough or exclusive INTx and prioritize those systems for remediation.
  • Verify whether affected kernel version ranges listed by NVD are present in production, including long-term support branches.
  • Plan a reboot into the patched kernel after rollout, since kernel fixes require the running kernel to change.
  • Monitor downstream distribution advisories and vendor errata for backported fixes.

Evidence notes

The issue description states that vfio/pci could auto-enable exclusive INTx IRQs before masked state alignment, creating a race that could double the disable depth and leave the IRQ unrecoverable. The stable patch references in kernel.org support the fix strategy of disabling auto-enable and explicitly controlling unmasking. NVD lists the CVE as modified on 2026-05-12, with the original public CVE publication timestamp of 2024-04-05.

Official resources

Public CVE publication timestamp: 2024-04-05T09:15:09.443Z. NVD record modified timestamp: 2026-05-12T12:16:33.533Z. No KEV entry was provided.