CVE-2024-40948 in Linux
Summary
by MITRE • 07/12/2024
In the Linux kernel, the following vulnerability has been resolved:
mm/page_table_check: fix crash on ZONE_DEVICE
Not all pages may apply to pgtable check. One example is ZONE_DEVICE pages: they map PFNs directly, and they don't allocate page_ext at all even if there's struct page around. One may reference devm_memremap_pages().
When both ZONE_DEVICE and page-table-check enabled, then try to map some dax memories, one can trigger kernel bug constantly now when the kernel was trying to inject some pfn maps on the dax device:
kernel BUG at mm/page_table_check.c:55!
While it's pretty legal to use set_pxx_at() for ZONE_DEVICE pages for page fault resolutions, skip all the checks if page_ext doesn't even exist in pgtable checker, which applies to ZONE_DEVICE but maybe more.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 10/07/2025
The vulnerability described in CVE-2024-40948 represents a critical kernel panic condition within the Linux kernel's memory management subsystem, specifically affecting the page table checking mechanism. This issue manifests when the kernel attempts to process ZONE_DEVICE pages during direct access (DAX) memory mapping operations, creating a scenario where legitimate memory operations trigger kernel crashes. The root cause lies in the inconsistent handling of different page types within the page table validation framework, where the existing checks fail to account for pages that do not conform to standard memory allocation patterns.
The technical flaw occurs in the mm/page_table_check.c file at line 55, where the kernel encounters a kernel BUG condition when attempting to process ZONE_DEVICE pages that map physical frame numbers (PFNs) directly without allocating page_ext structures. ZONE_DEVICE pages are special memory regions used for device memory mapping through functions like devm_memremap_pages(), which create memory mappings that bypass normal page allocation mechanisms. These pages exist in the kernel's memory management hierarchy but lack the standard page_ext metadata structures that other page types would normally possess, creating a mismatch in the page table checking logic.
This vulnerability specifically impacts systems utilizing DAX (Direct Access) memory features combined with ZONE_DEVICE memory regions, which are commonly found in high-performance computing environments, storage systems, and hardware acceleration scenarios. The operational impact is severe as it can cause complete system crashes during normal memory operations, particularly when the kernel attempts to inject PFN mappings on DAX devices. The crash occurs because the page table checker assumes all pages have page_ext structures, which is not true for ZONE_DEVICE pages that map PFNs directly and may not allocate page_ext even when struct page objects exist.
The vulnerability demonstrates a clear violation of proper memory management boundaries and can be classified under CWE-125: Uninitialized Memory Read, as the kernel attempts to access memory structures that may not be properly initialized for certain page types. From an ATT&CK perspective, this represents a privilege escalation vector through kernel exploitation, potentially allowing attackers to cause denial of service or potentially execute arbitrary code if exploited in a controlled environment. The fix implemented addresses this by skipping all page table checks when page_ext structures do not exist, which is a defensive programming approach that prevents the kernel from attempting to validate memory regions that cannot be properly validated due to their special memory allocation characteristics.
Systems running Linux kernels with DAX support and device memory mapping capabilities are particularly vulnerable, including servers using persistent memory, NVMe over Fabrics, and other high-performance storage solutions. The mitigation strategy involves ensuring that page table checking mechanisms properly identify and exclude ZONE_DEVICE pages and similar non-standard memory regions from validation checks, while maintaining security for normal memory operations. This fix aligns with best practices for kernel memory management and prevents the kernel from crashing during legitimate memory operations that should be supported by the system's memory management subsystem.