CVE-2024-26976: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-26976 affects the Linux kernel's KVM (Kernel Virtual Machine) subsystem, specifically related to the handling of async page fault workqueues when a virtual CPU (vCPU) is being destroyed. The vulnerability was discovered in January 2024 and affects various Linux kernel versions (NVD, RHSA).

The vulnerability stems from improper handling of workqueue callbacks when the last reference to the KVM module is released. The issue occurs because gifting a reference to the associated VM prevents workqueue callback from dereferencing freed vCPU/VM memory, but does not prevent the KVM module from being unloaded before the callback completes. This can lead to a deadlock condition when kvm_put_kvm() is called from async_pf_execute() if kvm_put_kvm() flushes the async #PF workqueue (Kernel Commit). The vulnerability has been assigned a CVSS v3.1 Base Score of 7.0 (HIGH) with vector: AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (RHSA).

The vulnerability could potentially lead to a denial of service condition through a deadlock, affecting system stability and availability. The deadlock occurs because async_pf_execute() cannot return until kvm_put_kvm() finishes, and kvm_put_kvm() cannot return until async_pf_execute() finishes (Kernel Commit).

The issue has been fixed by adding proper flushing of the async #PF workqueue when a vCPU is being destroyed. The fix includes dropping the VM refcount gifting and adding a helper function to handle the flushing, specifically dealing with "wakeup all" work items (Kernel Commit). The fix has been backported to various Linux distributions including Red Hat Enterprise Linux and Debian (RHSA).