CVE-2024-0564 in Linux
Summary
by MITRE • 01/30/2024
A flaw was found in the Linux kernel's memory deduplication mechanism. The max page sharing of Kernel Samepage Merging (KSM), added in Linux kernel version 4.4.0-96.119, can create a side channel. When the attacker and the victim share the same host and the default setting of KSM is "max page sharing=256", it is possible for the attacker to time the unmap to merge with the victim's page. The unmapping time depends on whether it merges with the victim's page and additional physical pages are created beyond the KSM's "max page share". Through these operations, the attacker can leak the victim's page.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 09/14/2025
The vulnerability described in CVE-2024-0564 resides within the Linux kernel's Kernel Samepage Merging (KSM) mechanism, which is designed to optimize memory usage by identifying and merging identical memory pages across different processes. This memory deduplication feature, introduced in kernel version 4.4.0-96.119, operates by periodically scanning memory pages and creating shared mappings when identical content is detected. The flaw manifests in the implementation of the maximum page sharing parameter that governs how many processes can share a single memory page. When set to the default value of 256, this parameter creates a predictable pattern that can be exploited through timing-based side channel attacks.
The technical exploitation of this vulnerability relies on the attacker's ability to manipulate memory unmap operations in coordination with the victim's memory pages. The core flaw stems from the timing dependency inherent in KSM's page merging process, where the duration required to unmap a page varies depending on whether it successfully merges with an existing shared page or creates additional physical memory allocations. This timing variation creates a measurable side channel that reveals information about the victim's memory contents. The vulnerability specifically affects systems where both attacker and victim operate on the same host machine, leveraging the shared KSM infrastructure to observe memory access patterns and infer sensitive data through temporal analysis.
From an operational impact perspective, this vulnerability represents a significant threat to multi-tenant environments and virtualized systems where multiple users or processes share the same physical hardware. The side channel attack can potentially expose sensitive information such as cryptographic keys, personal data, or application memory contents through careful timing analysis of memory operations. The attack vector requires the attacker to have process-level access on the same host system, making it particularly concerning in cloud environments, containerized deployments, and shared infrastructure scenarios. The default configuration of KSM makes this vulnerability exploitable across a wide range of systems without requiring specialized attack conditions.
Security mitigations for CVE-2024-0564 should focus on both immediate configuration changes and long-term architectural considerations. System administrators can disable KSM entirely by setting the kernel parameter /sys/kernel/mm/ksm/run to 0, though this may impact system performance through reduced memory efficiency. Alternative approaches include reducing the max page sharing parameter below the vulnerable threshold of 256, or implementing additional memory access controls through kernel hardening features. Organizations should also consider monitoring memory mapping operations for unusual timing patterns that might indicate exploitation attempts. This vulnerability aligns with CWE-388, which addresses errors in the implementation of security features, and maps to ATT&CK technique T1059.001 for process injection and T1567.002 for credential dumping through memory analysis. The attack demonstrates the ongoing challenges in securing memory management systems and highlights the need for careful consideration of side channel vulnerabilities in kernel-level features.