CVE-2024-26584: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-26584 affects the Linux kernel's TLS (Transport Layer Security) subsystem. The vulnerability was discovered in February 2024 and involves improper handling of crypto request backlogging. The issue affects Linux kernel versions from 4.16.0 up to (excluding) 6.1.84, 6.2.0 up to (excluding) 6.6.18, and 6.7.0 up to (excluding) 6.7.6 (NVD).

The vulnerability occurs when setting the CRYPTO_TFM_REQ_MAY_BACKLOG flag on requests to the crypto API, where crypto_aead_{encrypt,decrypt} can return -EBUSY instead of -EINPROGRESS in valid situations. This happens particularly when the cryptd queue for AESNI is full, which can be triggered with an artificially low cryptd.cryptd_max_cpu_qlen setting. The async callback is called twice in this case: first with err == -EINPROGRESS, followed by err == 0. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability affects the availability of the system by causing improper handling of crypto requests in the TLS subsystem. This could potentially lead to system instability or denial of service conditions when the cryptd queue becomes full (NVD).

The vulnerability has been patched in the Linux kernel. The fix involves modifying the TLS subsystem to properly handle backlogging of crypto requests by using new tls_*crypt_async_wait() helpers and converting EBUSY to EINPROGRESS to maintain consistent error handling paths. Updates are available for affected versions through various Linux distributions (Kernel Patch).