CVE-2024-26603: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-26603 affects the Linux kernel's x86/fpu module, specifically related to handling user space buffer information in the xsave buffer. The vulnerability was discovered in January 2024 and disclosed on February 26, 2024. It affects Linux kernel versions from 5.14.0 up to versions before 5.15.150, 6.1.79, 6.6.18, and 6.7.6 (NVD).

The vulnerability stems from the kernel relying on user-space information (fx_sw->xstate_size) to determine the size of the buffer to fault in. An attacker can manipulate fx_sw->xstate_size to be smaller than the size required by valid bits in fx_sw->xfeatures and unmap parts of the sigframe fpu buffer. When xrstor attempts to restore and access the unmapped area, it results in a fault, but fault_in_readable succeeds because buf + fx_sw->xstate_size is within the mapped area, causing an infinite loop (Kernel Patch). The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can result in a denial of service condition through an infinite loop in the kernel's FPU handling code. This can cause the system to become unresponsive when processing certain FPU state restorations (NVD).

The vulnerability has been fixed in the Linux kernel by modifying the code to use fpstate->user_size instead of relying on user-provided fx_sw->xstate_size. The fix has been backported to affected stable kernel versions. Users should update to Linux kernel versions 5.15.150, 6.1.79, 6.6.18, 6.7.6 or later (Kernel Patch).