CVE-2024-26885
Description
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix DEVMAP_HASH overflow check on 32-bit arches
The devmap code allocates a number hash buckets equal to the next power of two of the max_entries value provided when creating the map. When rounding up to the next power of two, the 32-bit variable storing the number of buckets can overflow, and the code checks for overflow by checking if the truncated 32-bit value is equal to 0. However, on 32-bit arches the rounding up itself can overflow mid-way through, because it ends up doing a left-shift of 32 bits on an unsigned long value. If the size of an unsigned long is four bytes, this is undefined behaviour, so there is no guarantee that we'll end up with a nice and tidy 0-value at the end.
Syzbot managed to turn this into a crash on arm32 by creating a DEVMAP_HASH with max_entries > 0x80000000 and then trying to update it. Fix this by moving the overflow check to before the rounding up operation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A 32-bit integer overflow in the Linux kernel's BPF DEVMAP_HASH bucket count leads to a crash on arm32 when max_entries exceeds 0x80000000.
Vulnerability
Overview
CVE-2024-26885 describes an integer overflow vulnerability in the Linux kernel's BPF subsystem, specifically within the devmap code for hash-based maps (DEVMAP_HASH). The bug resides in the calculation of the number of hash buckets: the code allocates a number equal to the next power of two of the max_entries value provided at map creation. On 32-bit architectures, the variable storing the bucket count is a 32-bit unsigned integer, which can overflow when max_entries is larger than 0x80000000. The existing overflow check only triggered if the final truncated value became zero, but on 32-bit systems the internal left-shift operation during rounding up can itself overflow, leading to undefined behavior and a crash. This was reproduced by syzbot on arm32 by creating a DEVMAP_HASH with max_entries > 0x80000000 and then performing an update. [1][2]
Attack
Vector
To exploit this vulnerability, an attacker would need to have the ability to create and update a BPF DEVMAP_HASH map on a system running a 32-bit kernel (such as arm32). This typically requires a privileged user or specific BPF-related capabilities (e.g., CAP_BPF). The attack does not require physical access but relies on the ability to provide crafted max_entries values via the bpf() syscall. No authentication bypass is needed if the attacker already has such permissions. [1]
Impact
Successful exploitation can crash the kernel (denial of service) due to the undefined behavior and resulting memory corruption. The crash was confirmed on arm32, and similar systems with 32-bit unsigned long types are potentially affected. The vulnerability does not directly lead to arbitrary code execution based on the description, but a system crash can be leveraged to disrupt operations or cause further instability. [1]
Mitigation
The fix moves the overflow check to before the rounding-up operation, preventing the undefined shift. Patched versions are available in the Linux kernel stable trees; administrators should update their kernels to include the commit that resolves this issue. Systems with 64-bit architecture are not affected due to the larger unsigned long size. Siemens has also listed this CVE as affecting their SIMATIC S7-1500 TM MFP - GNU/Linux subsystem across all versions. [1][4]
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Linux/Linuxv5Range: 5.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
11- git.kernel.org/stable/c/22079b3a423382335f47d9ed32114e6c9fe88d7cnvdPatch
- git.kernel.org/stable/c/225da02acdc97af01b6bc6ce1a3e5362bf01d3fbnvdPatch
- git.kernel.org/stable/c/250051acc21f9d4c5c595e4fcb55986ea08c4691nvdPatch
- git.kernel.org/stable/c/281d464a34f540de166cee74b723e97ac2515ec3nvdPatch
- git.kernel.org/stable/c/c826502bed93970f2fd488918a7b8d5f1d30e2e3nvdPatch
- git.kernel.org/stable/c/e89386f62ce9a9ab9a94835a9890883c23d9d52cnvdPatch
- git.kernel.org/stable/c/edf7990baa48de5097daa9ac02e06cb4c798a737nvdPatch
- cert-portal.siemens.com/productcert/html/ssa-265688.htmlnvd
- git.kernel.org/stable/c/1f5e352b9088211fa5eb4e1639cd365f4f7d2f65nvd
- git.kernel.org/stable/c/4b81a9f92b3676cb74b907a7a209b3d15bd9a7f9nvd
- lists.debian.org/debian-lts-announce/2024/06/msg00017.htmlnvd
News mentions
0No linked articles in our index yet.