CVE-2024-27007 in Linux
Summary
by MITRE • 05/01/2024
In the Linux kernel, the following vulnerability has been resolved:
userfaultfd: change src_folio after ensuring it's unpinned in UFFDIO_MOVE
Commit d7a08838ab74 ("mm: userfaultfd: fix unexpected change to src_folio when UFFDIO_MOVE fails") moved the src_folio->{mapping, index} changing to
after clearing the page-table and ensuring that it's not pinned. This avoids failure of swapout+migration and possibly memory corruption.
However, the commit missed fixing it in the huge-page case.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/07/2026
The vulnerability described in CVE-2024-27007 resides within the Linux kernel's userfaultfd implementation, specifically affecting the UFFDIO_MOVE operation handling. This issue represents a critical memory management flaw that can lead to system instability and potential memory corruption. The userfaultfd subsystem provides userspace processes with mechanisms to handle page faults, particularly useful for memory management optimizations and virtualization scenarios. The vulnerability manifests when processing huge pages during UFFDIO_MOVE operations, where the kernel fails to properly manage the source folio's mapping and index attributes.
The technical flaw stems from an incomplete fix introduced in commit d7a08838ab74 which addressed similar issues in regular page handling but overlooked the huge-page case. In normal page operations, the kernel correctly repositions the src_folio's mapping and index attributes only after ensuring the page table is cleared and the page is no longer pinned. This ordering prevents race conditions that could lead to swapout and migration failures, as well as memory corruption scenarios. However, the fix was applied only to the standard page path, leaving the huge-page code path vulnerable to the same race condition.
The operational impact of this vulnerability extends beyond simple memory management issues to potentially compromise system stability and security. When huge pages are involved in userfaultfd operations, the improper handling of src_folio attributes can cause swapout processes to fail, leading to memory leaks or system crashes. The memory corruption risks are particularly concerning in virtualized environments where userfaultfd is heavily utilized for memory management optimization. Attackers could potentially exploit this vulnerability to cause denial of service or, in more sophisticated scenarios, achieve arbitrary code execution by manipulating the memory state during page migration operations.
This vulnerability aligns with CWE-362, which addresses concurrent execution using locks, and CWE-129, concerning improper validation of array indices. The issue also maps to ATT&CK technique T1059.005, where adversaries might leverage memory corruption vulnerabilities to execute malicious code. The root cause demonstrates poor resource management in kernel space, specifically in the interaction between memory management subsystems and userfaultfd operations. The fix requires ensuring that huge-page handling follows the same ordering principles as regular pages, where mapping and index changes occur only after page table cleanup and pinning verification. System administrators should prioritize applying the kernel patches that address this specific issue, particularly in environments where userfaultfd is actively used for memory management optimizations or virtualization workloads.