CVE-2024-35872 is a vulnerability in the Linux kernel related to the handling of secret memory folios within the memory management subsystem. Specifically, the issue arises in the function folio_is_secretmem(), which is designed to identify secret memory folios by checking if they are part of the Least Recently Used (LRU) list. The vulnerability stems from the fact that secret memory folios may temporarily lack the LRU flag due to their management in per-CPU folio batches, where folios can be added without immediately setting the LRU flag until the batch is drained. This unreliable reliance on the LRU flag causes folio_is_secretmem() to fail to detect secret memory folios correctly. As a result, the GUP-fast (Get User Pages fast) mechanism can mistakenly succeed in grabbing a secret memory folio that should not be accessible. Subsequent attempts to read or write to this folio lead to kernel crashes because the folio has been unmapped from the direct memory map (directmap). The fix involves removing the dependence on the LRU flag for identifying secret memory folios, thereby preventing GUP-fast from improperly accessing these folios and avoiding kernel crashes. This vulnerability affects Linux kernel versions identified by the commit hash 1507f51255c9ff07d75909a84e7c0d7f3c4b2f49 and was published on May 19, 2024. No known exploits are reported in the wild at this time.

For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions, which are common in enterprise servers, cloud infrastructure, and embedded devices. The vulnerability can lead to kernel crashes, resulting in denial of service (DoS) conditions. Such crashes could disrupt critical services, cause downtime, and potentially lead to data loss or corruption if systems are not properly managed. While the vulnerability does not directly enable privilege escalation or remote code execution, the instability caused by kernel crashes can be exploited by attackers to degrade system availability or as part of a broader attack chain. Organizations relying on Linux-based infrastructure for critical operations, including financial institutions, telecommunications, and government services, could face operational disruptions. Additionally, the complexity of the vulnerability in memory management may complicate forensic analysis and recovery efforts after an incident. The absence of known exploits reduces immediate risk, but the potential for future exploitation remains, especially if attackers develop methods to trigger the kernel crash remotely or through crafted workloads.

European organizations should prioritize updating their Linux kernel to the patched version that removes the unreliable LRU flag check in folio_is_secretmem(). This update is critical to prevent kernel crashes caused by improper handling of secret memory folios. System administrators should: 1) Identify all systems running affected Linux kernel versions, especially those using the commit hash 1507f51255c9ff07d75909a84e7c0d7f3c4b2f49 or earlier; 2) Apply official kernel patches or upgrade to a fixed kernel release as soon as possible; 3) Monitor system logs for unusual kernel messages or crashes related to memory management; 4) Implement robust kernel crash recovery and system restart procedures to minimize downtime; 5) For environments where immediate patching is not feasible, consider isolating vulnerable systems or limiting access to reduce exposure; 6) Engage with Linux distribution vendors for backported patches if using long-term support kernels; and 7) Maintain up-to-date backups and conduct regular system integrity checks to facilitate recovery from potential crashes.