CVE-2023-52490: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: mm: migrate: fix getting incorrect page mapping during page migration When running stress-ng testing, we found below kernel crash after a few hours: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 pc : dentry_name+0xd8/0x224 lr : pointer+0x22c/0x370 sp : ffff800025f134c0 ...... Call trace: dentry_name+0xd8/0x224 pointer+0x22c/0x370 vsnprintf+0x1ec/0x730 vscnprintf+0x2c/0x60 vprintk_store+0x70/0x234 vprintk_emit+0xe0/0x24c vprintk_default+0x3c/0x44 vprintk_func+0x84/0x2d0 printk+0x64/0x88 __dump_page+0x52c/0x530 dump_page+0x14/0x20 set_migratetype_isolate+0x110/0x224 start_isolate_page_range+0xc4/0x20c offline_pages+0x124/0x474 memory_block_offline+0x44/0xf4 memory_subsys_offline+0x3c/0x70 device_offline+0xf0/0x120 ...... After analyzing the vmcore, I found this issue is caused by page migration. The scenario is that, one thread is doing page migration, and we will use the target page's ->mapping field to save 'anon_vma' pointer between page unmap and page move, and now the target page is locked and refcount is 1. Currently, there is another stress-ng thread performing memory hotplug, attempting to offline the target page that is being migrated. It discovers that the refcount of this target page is 1, preventing the offline operation, thus proceeding to dump the page. However, page_mapping() of the target page may return an incorrect file mapping to crash the system in dump_mapping(), since the target page->mapping only saves 'anon_vma' pointer without setting PAGE_MAPPING_ANON flag. There are seveval ways to fix this issue: (1) Setting the PAGE_MAPPING_ANON flag for target page's ->mapping when saving 'anon_vma', but this can confuse PageAnon() for PFN walkers, since the target page has not built mappings yet. (2) Getting the page lock to call page_mapping() in __dump_page() to avoid crashing the system, however, there are still some PFN walkers that call page_mapping() without holding the page lock, such as compaction. (3) Using target page->private field to save the 'anon_vma' pointer and 2 bits page state, just as page->mapping records an anonymous page, which can remove the page_mapping() impact for PFN walkers and also seems a simple way. So I choose option 3 to fix this issue, and this can also fix other potential issues for PFN walkers, such as compaction.
AI Analysis
Technical Summary
CVE-2023-52490 is a medium-severity vulnerability in the Linux kernel related to the memory management subsystem, specifically the page migration mechanism. The flaw arises during concurrent operations involving page migration and memory hotplugging, as observed under stress-ng testing. The vulnerability manifests as a kernel crash triggered by a NULL pointer dereference at virtual address 0x0, caused by incorrect handling of the target page's mapping field during migration. In detail, when one thread migrates a page, it temporarily stores an 'anon_vma' pointer in the target page's ->mapping field without setting the PAGE_MAPPING_ANON flag. Concurrently, another thread performing memory hotplug attempts to offline the same page. The page's reference count is 1, preventing offlining but leading to a page dump operation. During this dump, the kernel calls page_mapping() on the target page, which returns an incorrect file mapping due to the missing PAGE_MAPPING_ANON flag, causing a NULL pointer dereference and kernel panic. The root cause is the misuse of the ->mapping field to store anon_vma without proper flagging, confusing PFN walkers and compaction routines that call page_mapping() without holding the page lock. The fix chosen involves using the target page's ->private field to store the anon_vma pointer and page state bits, isolating this temporary state from the ->mapping field and preventing incorrect mapping returns. This approach avoids confusing PFN walkers and improves stability during page migration and memory hotplug operations. The vulnerability is rated with a CVSS 3.1 score of 5.5 (medium), with an attack vector of local access, low complexity, requiring privileges but no user interaction, and impacts availability by causing kernel crashes. No known exploits are reported in the wild at this time.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions, especially those utilizing memory hotplug features or running workloads that stress page migration, such as high-performance computing, virtualization hosts, or cloud infrastructure. The impact is a denial of service via kernel crashes, potentially causing system outages, data loss, or service interruptions. Critical infrastructure, data centers, and cloud service providers in Europe relying on affected Linux kernels could experience operational disruptions. Although the vulnerability does not directly compromise confidentiality or integrity, the availability impact can affect business continuity and service reliability. Systems with high uptime requirements or those running containerized or virtualized environments may be particularly sensitive. The absence of known exploits reduces immediate risk, but the vulnerability's medium severity and kernel-level impact warrant prompt attention to avoid potential exploitation or accidental crashes in production environments.
Mitigation Recommendations
European organizations should implement the following specific mitigations: 1) Identify and inventory Linux systems running affected kernel versions, particularly those involved in memory hotplug or heavy memory migration workloads. 2) Apply the official Linux kernel patches that implement the fix using the ->private field for anon_vma storage as soon as they become available from trusted Linux distributions or kernel maintainers. 3) For systems where immediate patching is not feasible, consider disabling memory hotplug features or workloads that trigger frequent page migration to reduce exposure. 4) Monitor kernel logs for signs of page migration or memory hotplug related errors or crashes to detect potential exploitation or instability. 5) Employ robust system monitoring and automated recovery mechanisms to minimize downtime in case of kernel crashes. 6) Coordinate with Linux distribution vendors for timely updates and backports, especially for long-term support kernels common in enterprise environments. 7) Conduct controlled stress testing in staging environments to validate stability post-patching before production deployment. These steps go beyond generic advice by focusing on workload characteristics and kernel feature usage that influence exposure to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2023-52490: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: mm: migrate: fix getting incorrect page mapping during page migration When running stress-ng testing, we found below kernel crash after a few hours: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 pc : dentry_name+0xd8/0x224 lr : pointer+0x22c/0x370 sp : ffff800025f134c0 ...... Call trace: dentry_name+0xd8/0x224 pointer+0x22c/0x370 vsnprintf+0x1ec/0x730 vscnprintf+0x2c/0x60 vprintk_store+0x70/0x234 vprintk_emit+0xe0/0x24c vprintk_default+0x3c/0x44 vprintk_func+0x84/0x2d0 printk+0x64/0x88 __dump_page+0x52c/0x530 dump_page+0x14/0x20 set_migratetype_isolate+0x110/0x224 start_isolate_page_range+0xc4/0x20c offline_pages+0x124/0x474 memory_block_offline+0x44/0xf4 memory_subsys_offline+0x3c/0x70 device_offline+0xf0/0x120 ...... After analyzing the vmcore, I found this issue is caused by page migration. The scenario is that, one thread is doing page migration, and we will use the target page's ->mapping field to save 'anon_vma' pointer between page unmap and page move, and now the target page is locked and refcount is 1. Currently, there is another stress-ng thread performing memory hotplug, attempting to offline the target page that is being migrated. It discovers that the refcount of this target page is 1, preventing the offline operation, thus proceeding to dump the page. However, page_mapping() of the target page may return an incorrect file mapping to crash the system in dump_mapping(), since the target page->mapping only saves 'anon_vma' pointer without setting PAGE_MAPPING_ANON flag. There are seveval ways to fix this issue: (1) Setting the PAGE_MAPPING_ANON flag for target page's ->mapping when saving 'anon_vma', but this can confuse PageAnon() for PFN walkers, since the target page has not built mappings yet. (2) Getting the page lock to call page_mapping() in __dump_page() to avoid crashing the system, however, there are still some PFN walkers that call page_mapping() without holding the page lock, such as compaction. (3) Using target page->private field to save the 'anon_vma' pointer and 2 bits page state, just as page->mapping records an anonymous page, which can remove the page_mapping() impact for PFN walkers and also seems a simple way. So I choose option 3 to fix this issue, and this can also fix other potential issues for PFN walkers, such as compaction.
AI-Powered Analysis
Technical Analysis
CVE-2023-52490 is a medium-severity vulnerability in the Linux kernel related to the memory management subsystem, specifically the page migration mechanism. The flaw arises during concurrent operations involving page migration and memory hotplugging, as observed under stress-ng testing. The vulnerability manifests as a kernel crash triggered by a NULL pointer dereference at virtual address 0x0, caused by incorrect handling of the target page's mapping field during migration. In detail, when one thread migrates a page, it temporarily stores an 'anon_vma' pointer in the target page's ->mapping field without setting the PAGE_MAPPING_ANON flag. Concurrently, another thread performing memory hotplug attempts to offline the same page. The page's reference count is 1, preventing offlining but leading to a page dump operation. During this dump, the kernel calls page_mapping() on the target page, which returns an incorrect file mapping due to the missing PAGE_MAPPING_ANON flag, causing a NULL pointer dereference and kernel panic. The root cause is the misuse of the ->mapping field to store anon_vma without proper flagging, confusing PFN walkers and compaction routines that call page_mapping() without holding the page lock. The fix chosen involves using the target page's ->private field to store the anon_vma pointer and page state bits, isolating this temporary state from the ->mapping field and preventing incorrect mapping returns. This approach avoids confusing PFN walkers and improves stability during page migration and memory hotplug operations. The vulnerability is rated with a CVSS 3.1 score of 5.5 (medium), with an attack vector of local access, low complexity, requiring privileges but no user interaction, and impacts availability by causing kernel crashes. No known exploits are reported in the wild at this time.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions, especially those utilizing memory hotplug features or running workloads that stress page migration, such as high-performance computing, virtualization hosts, or cloud infrastructure. The impact is a denial of service via kernel crashes, potentially causing system outages, data loss, or service interruptions. Critical infrastructure, data centers, and cloud service providers in Europe relying on affected Linux kernels could experience operational disruptions. Although the vulnerability does not directly compromise confidentiality or integrity, the availability impact can affect business continuity and service reliability. Systems with high uptime requirements or those running containerized or virtualized environments may be particularly sensitive. The absence of known exploits reduces immediate risk, but the vulnerability's medium severity and kernel-level impact warrant prompt attention to avoid potential exploitation or accidental crashes in production environments.
Mitigation Recommendations
European organizations should implement the following specific mitigations: 1) Identify and inventory Linux systems running affected kernel versions, particularly those involved in memory hotplug or heavy memory migration workloads. 2) Apply the official Linux kernel patches that implement the fix using the ->private field for anon_vma storage as soon as they become available from trusted Linux distributions or kernel maintainers. 3) For systems where immediate patching is not feasible, consider disabling memory hotplug features or workloads that trigger frequent page migration to reduce exposure. 4) Monitor kernel logs for signs of page migration or memory hotplug related errors or crashes to detect potential exploitation or instability. 5) Employ robust system monitoring and automated recovery mechanisms to minimize downtime in case of kernel crashes. 6) Coordinate with Linux distribution vendors for timely updates and backports, especially for long-term support kernels common in enterprise environments. 7) Conduct controlled stress testing in staging environments to validate stability post-patching before production deployment. These steps go beyond generic advice by focusing on workload characteristics and kernel feature usage that influence exposure to this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-20T12:30:33.303Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9819c4522896dcbd8db8
Added to database: 5/21/2025, 9:08:41 AM
Last enriched: 7/5/2025, 9:41:48 AM
Last updated: 8/5/2025, 8:20:28 PM
Views: 12
Related Threats
CVE-2025-9026: OS Command Injection in D-Link DIR-860L
MediumCVE-2025-9025: SQL Injection in code-projects Simple Cafe Ordering System
MediumCVE-2025-9024: SQL Injection in PHPGurukul Beauty Parlour Management System
MediumCVE-2025-9023: Buffer Overflow in Tenda AC7
HighCVE-2025-8905: CWE-94 Improper Control of Generation of Code ('Code Injection') in inpersttion Inpersttion For Theme
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.