CVE-2023-52934: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: mm/MADV_COLLAPSE: catch !none !huge !bad pmd lookups In commit 34488399fa08 ("mm/madvise: add file and shmem support to MADV_COLLAPSE") we make the following change to find_pmd_or_thp_or_none(): - if (!pmd_present(pmde)) - return SCAN_PMD_NULL; + if (pmd_none(pmde)) + return SCAN_PMD_NONE; This was for-use by MADV_COLLAPSE file/shmem codepaths, where MADV_COLLAPSE might identify a pte-mapped hugepage, only to have khugepaged race-in, free the pte table, and clear the pmd. Such codepaths include: A) If we find a suitably-aligned compound page of order HPAGE_PMD_ORDER already in the pagecache. B) In retract_page_tables(), if we fail to grab mmap_lock for the target mm/address. In these cases, collapse_pte_mapped_thp() really does expect a none (not just !present) pmd, and we want to suitably identify that case separate from the case where no pmd is found, or it's a bad-pmd (of course, many things could happen once we drop mmap_lock, and the pmd could plausibly undergo multiple transitions due to intervening fault, split, etc). Regardless, the code is prepared install a huge-pmd only when the existing pmd entry is either a genuine pte-table-mapping-pmd, or the none-pmd. However, the commit introduces a logical hole; namely, that we've allowed !none- && !huge- && !bad-pmds to be classified as genuine pte-table-mapping-pmds. One such example that could leak through are swap entries. The pmd values aren't checked again before use in pte_offset_map_lock(), which is expecting nothing less than a genuine pte-table-mapping-pmd. We want to put back the !pmd_present() check (below the pmd_none() check), but need to be careful to deal with subtleties in pmd transitions and treatments by various arch. The issue is that __split_huge_pmd_locked() temporarily clears the present bit (or otherwise marks the entry as invalid), but pmd_present() and pmd_trans_huge() still need to return true while the pmd is in this transitory state. For example, x86's pmd_present() also checks the _PAGE_PSE , riscv's version also checks the _PAGE_LEAF bit, and arm64 also checks a PMD_PRESENT_INVALID bit. Covering all 4 cases for x86 (all checks done on the same pmd value): 1) pmd_present() && pmd_trans_huge() All we actually know here is that the PSE bit is set. Either: a) We aren't racing with __split_huge_page(), and PRESENT or PROTNONE is set. => huge-pmd b) We are currently racing with __split_huge_page(). The danger here is that we proceed as-if we have a huge-pmd, but really we are looking at a pte-mapping-pmd. So, what is the risk of this danger? The only relevant path is: madvise_collapse() -> collapse_pte_mapped_thp() Where we might just incorrectly report back "success", when really the memory isn't pmd-backed. This is fine, since split could happen immediately after (actually) successful madvise_collapse(). So, it should be safe to just assume huge-pmd here. 2) pmd_present() && !pmd_trans_huge() Either: a) PSE not set and either PRESENT or PROTNONE is. => pte-table-mapping pmd (or PROT_NONE) b) devmap. This routine can be called immediately after unlocking/locking mmap_lock -- or called with no locks held (see khugepaged_scan_mm_slot()), so previous VMA checks have since been invalidated. 3) !pmd_present() && pmd_trans_huge() Not possible. 4) !pmd_present() && !pmd_trans_huge() Neither PRESENT nor PROTNONE set => not present I've checked all archs that implement pmd_trans_huge() (arm64, riscv, powerpc, longarch, x86, mips, s390) and this logic roughly translates (though devmap treatment is unique to x86 and powerpc, and (3) doesn't necessarily hold in general -- but that doesn't matter since !pmd_present() always takes failure path). Also, add a comment above find_pmd_or_thp_or_none() ---truncated---
AI Analysis
Technical Summary
CVE-2023-52934 is a vulnerability identified in the Linux kernel's memory management subsystem, specifically related to the MADV_COLLAPSE functionality in the madvise system call. The vulnerability arises from a logical flaw introduced in commit 34488399fa08, which modified the function find_pmd_or_thp_or_none() to better handle page middle directory (PMD) entries during the collapse of huge pages. The change replaced a check for pmd_present() with pmd_none(), intending to distinguish between different PMD states more accurately. However, this introduced a logical hole where PMD entries that are neither 'none', 'huge', nor 'bad' could be misclassified as genuine page table entries (pte-table-mapping-pmds). One example of such an entry is a swap entry, which is not a valid pte-table mapping but could be treated as one due to this flaw. This misclassification can lead to the use of invalid PMD entries in functions like pte_offset_map_lock(), which expects only genuine pte-table-mapping PMDs. The root cause involves complex interactions with huge page splitting (__split_huge_pmd_locked()), which temporarily clears the present bit on PMD entries, causing ambiguity in the pmd_present() and pmd_trans_huge() checks. Different CPU architectures (x86, arm64, riscv, etc.) have subtle differences in how these bits are interpreted, complicating the logic further. The vulnerability could cause madvise_collapse() to incorrectly report success when collapsing huge pages, even though the memory is not actually backed by a huge PMD. While this may not immediately lead to memory corruption or privilege escalation, it represents a correctness issue in memory management that could be exploited or cause instability under certain race conditions involving huge page handling and memory collapsing. The Linux kernel developers have recognized the need to restore the pmd_present() check while carefully handling the transitional states of PMD entries across architectures to prevent this misclassification. This fix is critical to ensure the integrity of memory management operations involving huge pages and madvise calls.
Potential Impact
For European organizations, the impact of CVE-2023-52934 primarily concerns systems running vulnerable Linux kernel versions that include the flawed commit. Since Linux is widely used in servers, cloud infrastructure, and embedded devices across Europe, the vulnerability could affect a broad range of environments. The flaw could lead to incorrect memory management behavior, potentially causing application instability, memory leaks, or denial of service conditions if huge page collapsing operations behave unexpectedly. While no known exploits are currently reported in the wild, the vulnerability's subtlety and involvement in low-level memory management mean it could be leveraged in complex attack chains, especially in multi-tenant cloud environments or systems running untrusted code. European organizations relying on Linux for critical infrastructure, financial services, telecommunications, or government systems could face increased risk if attackers exploit this flaw to destabilize systems or bypass memory protections. The impact on confidentiality and integrity is likely limited, as the vulnerability does not directly enable privilege escalation or arbitrary code execution. However, availability could be affected due to potential system crashes or memory corruption triggered by the flawed memory collapse logic. This could disrupt services and lead to operational downtime, which is critical for sectors with high availability requirements.
Mitigation Recommendations
1. Immediate patching: European organizations should prioritize updating their Linux kernels to versions that include the fix for CVE-2023-52934. Kernel maintainers have indicated the need to reinstate the pmd_present() check with architecture-specific handling, so applying official patches or upgrading to the latest stable kernel releases is essential. 2. Kernel version auditing: Conduct thorough audits of deployed Linux kernel versions across all systems, especially in data centers and cloud environments, to identify vulnerable instances. 3. Controlled deployment: Test kernel updates in staging environments to ensure compatibility and stability before wide deployment, as memory management changes can affect system behavior. 4. Monitoring and logging: Enhance monitoring of system logs for unusual madvise or huge page related errors or warnings that could indicate attempts to trigger the vulnerability. 5. Restrict untrusted code execution: Limit the execution of untrusted or less trusted code on systems running vulnerable kernels, reducing the attack surface. 6. Collaborate with vendors: Engage with Linux distribution vendors and hardware providers to receive timely updates and guidance on mitigating this vulnerability. 7. Harden memory management: Where possible, configure kernel parameters to reduce reliance on huge page collapsing or disable MADV_COLLAPSE if not required by workloads, as a temporary mitigation. These steps go beyond generic advice by focusing on kernel version management, operational monitoring, and workload-specific configuration adjustments relevant to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2023-52934: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: mm/MADV_COLLAPSE: catch !none !huge !bad pmd lookups In commit 34488399fa08 ("mm/madvise: add file and shmem support to MADV_COLLAPSE") we make the following change to find_pmd_or_thp_or_none(): - if (!pmd_present(pmde)) - return SCAN_PMD_NULL; + if (pmd_none(pmde)) + return SCAN_PMD_NONE; This was for-use by MADV_COLLAPSE file/shmem codepaths, where MADV_COLLAPSE might identify a pte-mapped hugepage, only to have khugepaged race-in, free the pte table, and clear the pmd. Such codepaths include: A) If we find a suitably-aligned compound page of order HPAGE_PMD_ORDER already in the pagecache. B) In retract_page_tables(), if we fail to grab mmap_lock for the target mm/address. In these cases, collapse_pte_mapped_thp() really does expect a none (not just !present) pmd, and we want to suitably identify that case separate from the case where no pmd is found, or it's a bad-pmd (of course, many things could happen once we drop mmap_lock, and the pmd could plausibly undergo multiple transitions due to intervening fault, split, etc). Regardless, the code is prepared install a huge-pmd only when the existing pmd entry is either a genuine pte-table-mapping-pmd, or the none-pmd. However, the commit introduces a logical hole; namely, that we've allowed !none- && !huge- && !bad-pmds to be classified as genuine pte-table-mapping-pmds. One such example that could leak through are swap entries. The pmd values aren't checked again before use in pte_offset_map_lock(), which is expecting nothing less than a genuine pte-table-mapping-pmd. We want to put back the !pmd_present() check (below the pmd_none() check), but need to be careful to deal with subtleties in pmd transitions and treatments by various arch. The issue is that __split_huge_pmd_locked() temporarily clears the present bit (or otherwise marks the entry as invalid), but pmd_present() and pmd_trans_huge() still need to return true while the pmd is in this transitory state. For example, x86's pmd_present() also checks the _PAGE_PSE , riscv's version also checks the _PAGE_LEAF bit, and arm64 also checks a PMD_PRESENT_INVALID bit. Covering all 4 cases for x86 (all checks done on the same pmd value): 1) pmd_present() && pmd_trans_huge() All we actually know here is that the PSE bit is set. Either: a) We aren't racing with __split_huge_page(), and PRESENT or PROTNONE is set. => huge-pmd b) We are currently racing with __split_huge_page(). The danger here is that we proceed as-if we have a huge-pmd, but really we are looking at a pte-mapping-pmd. So, what is the risk of this danger? The only relevant path is: madvise_collapse() -> collapse_pte_mapped_thp() Where we might just incorrectly report back "success", when really the memory isn't pmd-backed. This is fine, since split could happen immediately after (actually) successful madvise_collapse(). So, it should be safe to just assume huge-pmd here. 2) pmd_present() && !pmd_trans_huge() Either: a) PSE not set and either PRESENT or PROTNONE is. => pte-table-mapping pmd (or PROT_NONE) b) devmap. This routine can be called immediately after unlocking/locking mmap_lock -- or called with no locks held (see khugepaged_scan_mm_slot()), so previous VMA checks have since been invalidated. 3) !pmd_present() && pmd_trans_huge() Not possible. 4) !pmd_present() && !pmd_trans_huge() Neither PRESENT nor PROTNONE set => not present I've checked all archs that implement pmd_trans_huge() (arm64, riscv, powerpc, longarch, x86, mips, s390) and this logic roughly translates (though devmap treatment is unique to x86 and powerpc, and (3) doesn't necessarily hold in general -- but that doesn't matter since !pmd_present() always takes failure path). Also, add a comment above find_pmd_or_thp_or_none() ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2023-52934 is a vulnerability identified in the Linux kernel's memory management subsystem, specifically related to the MADV_COLLAPSE functionality in the madvise system call. The vulnerability arises from a logical flaw introduced in commit 34488399fa08, which modified the function find_pmd_or_thp_or_none() to better handle page middle directory (PMD) entries during the collapse of huge pages. The change replaced a check for pmd_present() with pmd_none(), intending to distinguish between different PMD states more accurately. However, this introduced a logical hole where PMD entries that are neither 'none', 'huge', nor 'bad' could be misclassified as genuine page table entries (pte-table-mapping-pmds). One example of such an entry is a swap entry, which is not a valid pte-table mapping but could be treated as one due to this flaw. This misclassification can lead to the use of invalid PMD entries in functions like pte_offset_map_lock(), which expects only genuine pte-table-mapping PMDs. The root cause involves complex interactions with huge page splitting (__split_huge_pmd_locked()), which temporarily clears the present bit on PMD entries, causing ambiguity in the pmd_present() and pmd_trans_huge() checks. Different CPU architectures (x86, arm64, riscv, etc.) have subtle differences in how these bits are interpreted, complicating the logic further. The vulnerability could cause madvise_collapse() to incorrectly report success when collapsing huge pages, even though the memory is not actually backed by a huge PMD. While this may not immediately lead to memory corruption or privilege escalation, it represents a correctness issue in memory management that could be exploited or cause instability under certain race conditions involving huge page handling and memory collapsing. The Linux kernel developers have recognized the need to restore the pmd_present() check while carefully handling the transitional states of PMD entries across architectures to prevent this misclassification. This fix is critical to ensure the integrity of memory management operations involving huge pages and madvise calls.
Potential Impact
For European organizations, the impact of CVE-2023-52934 primarily concerns systems running vulnerable Linux kernel versions that include the flawed commit. Since Linux is widely used in servers, cloud infrastructure, and embedded devices across Europe, the vulnerability could affect a broad range of environments. The flaw could lead to incorrect memory management behavior, potentially causing application instability, memory leaks, or denial of service conditions if huge page collapsing operations behave unexpectedly. While no known exploits are currently reported in the wild, the vulnerability's subtlety and involvement in low-level memory management mean it could be leveraged in complex attack chains, especially in multi-tenant cloud environments or systems running untrusted code. European organizations relying on Linux for critical infrastructure, financial services, telecommunications, or government systems could face increased risk if attackers exploit this flaw to destabilize systems or bypass memory protections. The impact on confidentiality and integrity is likely limited, as the vulnerability does not directly enable privilege escalation or arbitrary code execution. However, availability could be affected due to potential system crashes or memory corruption triggered by the flawed memory collapse logic. This could disrupt services and lead to operational downtime, which is critical for sectors with high availability requirements.
Mitigation Recommendations
1. Immediate patching: European organizations should prioritize updating their Linux kernels to versions that include the fix for CVE-2023-52934. Kernel maintainers have indicated the need to reinstate the pmd_present() check with architecture-specific handling, so applying official patches or upgrading to the latest stable kernel releases is essential. 2. Kernel version auditing: Conduct thorough audits of deployed Linux kernel versions across all systems, especially in data centers and cloud environments, to identify vulnerable instances. 3. Controlled deployment: Test kernel updates in staging environments to ensure compatibility and stability before wide deployment, as memory management changes can affect system behavior. 4. Monitoring and logging: Enhance monitoring of system logs for unusual madvise or huge page related errors or warnings that could indicate attempts to trigger the vulnerability. 5. Restrict untrusted code execution: Limit the execution of untrusted or less trusted code on systems running vulnerable kernels, reducing the attack surface. 6. Collaborate with vendors: Engage with Linux distribution vendors and hardware providers to receive timely updates and guidance on mitigating this vulnerability. 7. Harden memory management: Where possible, configure kernel parameters to reduce reliance on huge page collapsing or disable MADV_COLLAPSE if not required by workloads, as a temporary mitigation. These steps go beyond generic advice by focusing on kernel version management, operational monitoring, and workload-specific configuration adjustments relevant to this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-08-21T06:07:11.020Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982fc4522896dcbe6be0
Added to database: 5/21/2025, 9:09:03 AM
Last enriched: 7/1/2025, 2:40:43 AM
Last updated: 8/19/2025, 4:45:59 AM
Views: 19
Related Threats
CVE-2025-9239: Inadequate Encryption Strength in elunez eladmin
MediumCVE-2025-9238: SQL Injection in Swatadru Exam-Seating-Arrangement
MediumCVE-2025-9237: Cross Site Scripting in CodeAstro Ecommerce Website
MediumCVE-2025-9236: SQL Injection in Portabilis i-Diario
MediumCVE-2025-54551: External control of assumed-Immutable web parameter in FUJIFILM Healthcare Americas Corporation Synapse Mobility
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.