CVE-2024-49975 in Linuxinfo

Summary

by MITRE • 10/21/2024

In the Linux kernel, the following vulnerability has been resolved:

uprobes: fix kernel info leak via "[uprobes]" vma

xol_add_vma() maps the uninitialized page allocated by __create_xol_area() into userspace. On some architectures (x86) this memory is readable even without VM_READ, VM_EXEC results in the same pgprot_t as VM_EXEC|VM_READ, although this doesn't really matter, debugger can read this memory anyway.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 03/21/2026

The vulnerability identified as CVE-2024-49975 represents a critical information disclosure flaw within the Linux kernel's uprobes subsystem. This issue specifically affects the handling of virtual memory areas during uprobes operations, where the kernel inadvertently exposes sensitive information to user-space processes through improperly configured memory mappings. The vulnerability stems from the improper management of memory protection attributes during the creation of uprobes virtual memory areas, creating a pathway for unauthorized data access that could potentially reveal kernel internals or sensitive memory contents.

The technical root cause lies in the xol_add_vma() function which maps uninitialized pages allocated by __create_xol_area() into userspace memory regions. This mapping occurs without proper protection mechanisms, allowing user-space processes to access memory that should remain restricted to kernel operations. On x86 architectures, the vulnerability is particularly pronounced because memory pages can be read even when they lack explicit VM_READ permissions, as the kernel's page protection mechanism does not adequately enforce access controls for these specific memory mappings. The pgprot_t protection flags are not properly configured to prevent unauthorized access, creating a persistent information leak that can be exploited by malicious processes.

The operational impact of this vulnerability extends beyond simple information disclosure, as it provides attackers with potential access to kernel memory structures, sensitive data, or implementation details that could be leveraged in subsequent attacks. This information leak could enable attackers to bypass security controls, perform advanced exploitation techniques, or gain insights into kernel internals that would otherwise remain protected. The vulnerability affects systems running Linux kernels that implement uprobes functionality, particularly those utilizing the x86 architecture where the memory protection inconsistencies are most pronounced. Attackers could potentially exploit this to gather kernel memory layouts, identify security boundaries, or craft more sophisticated attacks that rely on knowledge of kernel internals.

Mitigation strategies should focus on ensuring proper memory protection mechanisms are enforced during uprobes operations, particularly in the handling of virtual memory areas. Kernel updates addressing this specific vulnerability should be applied immediately to all affected systems, as the information leak represents a fundamental security weakness in the kernel's memory management subsystem. System administrators should also consider implementing additional monitoring for suspicious memory access patterns and ensure that only authorized processes have access to uprobes functionality. The fix should involve proper configuration of page protection flags to prevent unauthorized read access to memory regions created during uprobes operations, aligning with security best practices for kernel memory management and information flow control.

This vulnerability aligns with CWE-200 (Information Exposure) and CWE-284 (Improper Access Control) categories, representing a clear violation of information protection principles within the kernel's memory management. From an ATT&CK perspective, this vulnerability maps to T1059.001 (Command and Scripting Interpreter: PowerShell) and T1068 (Exploitation for Privilege Escalation) where attackers could potentially use the leaked information to refine their exploitation techniques. The vulnerability demonstrates a critical flaw in the kernel's security model where user-space processes can access kernel memory through improper virtual memory management, violating fundamental security boundaries that should prevent such information leakage.

Responsible

Linux

Reservation

10/21/2024

Disclosure

10/21/2024

Moderation

accepted

CPE

ready

EPSS

0.00249

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!