CVE-2024-36881 in Linux
Summary
by MITRE • 05/30/2024
In the Linux kernel, the following vulnerability has been resolved:
mm/userfaultfd: reset ptes when close() for wr-protected ones
Userfaultfd unregister includes a step to remove wr-protect bits from all the relevant pgtable entries, but that only covered an explicit UFFDIO_UNREGISTER ioctl, not a close() on the userfaultfd itself. Cover that too. This fixes a WARN trace.
The only user visible side effect is the user can observe leftover wr-protect bits even if the user close()ed on an userfaultfd when releasing the last reference of it. However hopefully that should be harmless, and nothing bad should happen even if so.
This change is now more important after the recent page-table-check patch we merged in mm-unstable (446dd9ad37d0 ("mm/page_table_check: support userfault wr-protect entries")), as we'll do sanity check on uffd-wp bits without vma context. So it's better if we can 100% guarantee no uffd-wp bit leftovers, to make sure each report will be valid.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 08/28/2025
The vulnerability identified as CVE-2024-36881 resides within the Linux kernel's memory management subsystem, specifically concerning the userfaultfd mechanism that enables userspace applications to handle page faults asynchronously. This flaw represents a subtle but significant inconsistency in how write-protected page table entries are managed when userfaultfd file descriptors are closed, creating potential for system instability and violating fundamental memory management principles. The issue manifests when a userfaultfd file descriptor is closed, as opposed to explicitly unregistering it through the UFFDIO_UNREGISTER ioctl call, leaving behind write-protection bits in page table entries that should have been cleared.
The technical root cause stems from an incomplete implementation of the userfaultfd cleanup process within the kernel's memory management code. While the existing code properly handles write-protection bit removal during explicit UFFDIO_UNREGISTER operations, it fails to perform the same cleanup when a userfaultfd file descriptor is closed through the standard close() system call. This discrepancy creates a scenario where page table entries retain write-protection bits even after the userfaultfd context has been terminated, resulting in kernel warning traces and potentially invalid memory state reporting. The vulnerability operates at the intersection of memory management and device driver interfaces, specifically affecting the mm/userfaultfd subsystem and its interaction with page table management structures.
The operational impact of this vulnerability extends beyond simple warning messages, as it creates inconsistencies in memory state management that can affect system stability and security posture. Although the immediate user-visible effect appears to be harmless, with only leftover write-protection bits remaining in page tables, the underlying issue becomes more critical when considering the broader context of recent kernel security improvements. The vulnerability's significance increases substantially following the introduction of page-table-check patches that perform sanity checks on userfault write-protection bits without VMA context, making the presence of leftover bits potentially disruptive to these validation mechanisms. This creates a scenario where legitimate memory management operations could be incorrectly flagged or where security-critical validation routines might produce false positives, undermining the integrity of kernel memory management subsystems.
The mitigation strategy for this vulnerability involves ensuring complete cleanup of write-protection bits regardless of how a userfaultfd file descriptor is closed, whether through explicit unregister operations or standard close() calls. This requires modifications to the kernel's file descriptor closing mechanism for userfaultfd objects to ensure consistent behavior and prevent any leakage of write-protection bits into page table entries. The fix addresses a fundamental consistency issue in kernel memory management and aligns with security best practices by guaranteeing complete resource cleanup and preventing potential information leakage through stale memory management state. This vulnerability exemplifies the importance of comprehensive resource management in kernel code and demonstrates how seemingly minor inconsistencies can have cascading effects on system security and stability. The issue relates to CWE-676, which addresses the use of potentially dangerous functions, and may intersect with ATT&CK techniques involving privilege escalation or system integrity compromise through memory management vulnerabilities.
This vulnerability represents a critical gap in the Linux kernel's memory management subsystem that could potentially enable attackers to exploit inconsistencies in memory state management. The fix ensures that all write-protection bits are properly cleared during userfaultfd cleanup operations, regardless of the closure method used, thereby maintaining kernel memory integrity and preventing potential security implications from stale memory management state. The importance of this fix becomes evident when considering the broader security implications of page table validation mechanisms and the need for consistent memory management behavior across all userfaultfd operations.