CVE-2024-36906: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ARM: 9381/1: kasan: clear stale stack poison We found below OOB crash: [ 33.452494] ================================================================== [ 33.453513] BUG: KASAN: stack-out-of-bounds in refresh_cpu_vm_stats.constprop.0+0xcc/0x2ec [ 33.454660] Write of size 164 at addr c1d03d30 by task swapper/0/0 [ 33.455515] [ 33.455767] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G O 6.1.25-mainline #1 [ 33.456880] Hardware name: Generic DT based system [ 33.457555] unwind_backtrace from show_stack+0x18/0x1c [ 33.458326] show_stack from dump_stack_lvl+0x40/0x4c [ 33.459072] dump_stack_lvl from print_report+0x158/0x4a4 [ 33.459863] print_report from kasan_report+0x9c/0x148 [ 33.460616] kasan_report from kasan_check_range+0x94/0x1a0 [ 33.461424] kasan_check_range from memset+0x20/0x3c [ 33.462157] memset from refresh_cpu_vm_stats.constprop.0+0xcc/0x2ec [ 33.463064] refresh_cpu_vm_stats.constprop.0 from tick_nohz_idle_stop_tick+0x180/0x53c [ 33.464181] tick_nohz_idle_stop_tick from do_idle+0x264/0x354 [ 33.465029] do_idle from cpu_startup_entry+0x20/0x24 [ 33.465769] cpu_startup_entry from rest_init+0xf0/0xf4 [ 33.466528] rest_init from arch_post_acpi_subsys_init+0x0/0x18 [ 33.467397] [ 33.467644] The buggy address belongs to stack of task swapper/0/0 [ 33.468493] and is located at offset 112 in frame: [ 33.469172] refresh_cpu_vm_stats.constprop.0+0x0/0x2ec [ 33.469917] [ 33.470165] This frame has 2 objects: [ 33.470696] [32, 76) 'global_zone_diff' [ 33.470729] [112, 276) 'global_node_diff' [ 33.471294] [ 33.472095] The buggy address belongs to the physical page: [ 33.472862] page:3cd72da8 refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x41d03 [ 33.473944] flags: 0x1000(reserved|zone=0) [ 33.474565] raw: 00001000 ed741470 ed741470 00000000 00000000 00000000 ffffffff 00000001 [ 33.475656] raw: 00000000 [ 33.476050] page dumped because: kasan: bad access detected [ 33.476816] [ 33.477061] Memory state around the buggy address: [ 33.477732] c1d03c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.478630] c1d03c80: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 [ 33.479526] >c1d03d00: 00 04 f2 f2 f2 f2 00 00 00 00 00 00 f1 f1 f1 f1 [ 33.480415] ^ [ 33.481195] c1d03d80: 00 00 00 00 00 00 00 00 00 00 04 f3 f3 f3 f3 f3 [ 33.482088] c1d03e00: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.482978] ================================================================== We find the root cause of this OOB is that arm does not clear stale stack poison in the case of cpuidle. This patch refer to arch/arm64/kernel/sleep.S to resolve this issue. From cited commit [1] that explain the problem Functions which the compiler has instrumented for KASAN place poison on the stack shadow upon entry and remove this poison prior to returning. In the case of cpuidle, CPUs exit the kernel a number of levels deep in C code. Any instrumented functions on this critical path will leave portions of the stack shadow poisoned. If CPUs lose context and return to the kernel via a cold path, we restore a prior context saved in __cpu_suspend_enter are forgotten, and we never remove the poison they placed in the stack shadow area by functions calls between this and the actual exit of the kernel. Thus, (depending on stackframe layout) subsequent calls to instrumented functions may hit this stale poison, resulting in (spurious) KASAN splats to the console. To avoid this, clear any stale poison from the idle thread for a CPU prior to bringing a CPU online. From cited commit [2] Extend to check for CONFIG_KASAN_STACK [1] commit 0d97e6d8024c ("arm64: kasan: clear stale stack poison") [2] commit d56a9ef84bd0 ("kasan, arm64: unpoison stack only with CONFIG_KASAN_STACK")
AI Analysis
Technical Summary
CVE-2024-36906 is a vulnerability identified in the Linux kernel specifically affecting ARM64 architectures. The issue arises from improper handling of stale stack poison in the Kernel Address Sanitizer (KASAN) instrumentation during CPU idle state transitions. KASAN is a memory error detector that poisons stack memory regions upon function entry and clears them upon exit to detect out-of-bounds (OOB) and use-after-free bugs. However, in the cpuidle subsystem, CPUs exit the kernel several levels deep in C code, and the normal unpoisoning process is bypassed. This leads to stale poison remaining on the stack shadow memory. When the CPU returns to the kernel via a cold path, the context restored from __cpu_suspend_enter does not clear this stale poison. Consequently, subsequent kernel functions instrumented by KASAN may incorrectly detect memory errors, causing spurious KASAN alerts and potential kernel crashes due to stack-out-of-bounds writes, as demonstrated by the OOB crash logs. The root cause is that the ARM64 kernel did not clear stale stack poison during CPU idle transitions. The fix involves patching the ARM64 kernel assembly code (arch/arm64/kernel/sleep.S) to clear stale poison from the idle thread stack before bringing CPUs online, ensuring that KASAN instrumentation does not trigger false positives or kernel instability. This vulnerability is specific to Linux kernel versions containing the affected commit and is relevant to systems running ARM64 Linux kernels with KASAN enabled, particularly with CONFIG_KASAN_STACK. No known exploits are reported in the wild, and the issue primarily causes kernel instability and false memory error reports rather than direct code execution or privilege escalation.
Potential Impact
For European organizations, the impact of CVE-2024-36906 is primarily related to system stability and reliability on ARM64-based Linux systems with KASAN enabled. While this vulnerability does not directly lead to remote code execution or privilege escalation, it can cause kernel crashes and system instability due to false-positive memory error detections. This can disrupt critical services, especially in environments relying on ARM64 servers, embedded devices, or IoT infrastructure running Linux kernels with KASAN instrumentation. Organizations using ARM64 Linux in data centers, edge computing, or industrial control systems may experience increased downtime or require additional maintenance to apply patches. The false KASAN alerts may also complicate debugging and incident response efforts, potentially delaying detection of genuine memory corruption issues. Since the vulnerability is tied to kernel internals and CPU idle state transitions, it is less likely to be exploited remotely but could affect system reliability and operational continuity in sensitive deployments.
Mitigation Recommendations
To mitigate CVE-2024-36906, European organizations should: 1) Apply the official Linux kernel patches that clear stale stack poison during CPU idle transitions, specifically those referenced in commits 0d97e6d8024c and d56a9ef84bd0. 2) Upgrade to a Linux kernel version that includes these fixes, ensuring the kernel is rebuilt with CONFIG_KASAN_STACK enabled if KASAN is used. 3) For systems where KASAN is not required in production, consider disabling KASAN to avoid this issue altogether, as KASAN is primarily a debugging tool. 4) Monitor kernel logs for KASAN-related errors or OOB crashes to detect any residual issues. 5) Test kernel updates in staging environments to verify stability before deployment. 6) For embedded or ARM64-based devices, coordinate with hardware vendors to obtain updated firmware or kernel images incorporating the fix. 7) Maintain robust backup and recovery procedures to minimize downtime in case of kernel crashes. These steps go beyond generic advice by focusing on kernel patch application, configuration management, and operational monitoring specific to ARM64 Linux systems with KASAN enabled.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark
CVE-2024-36906: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ARM: 9381/1: kasan: clear stale stack poison We found below OOB crash: [ 33.452494] ================================================================== [ 33.453513] BUG: KASAN: stack-out-of-bounds in refresh_cpu_vm_stats.constprop.0+0xcc/0x2ec [ 33.454660] Write of size 164 at addr c1d03d30 by task swapper/0/0 [ 33.455515] [ 33.455767] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G O 6.1.25-mainline #1 [ 33.456880] Hardware name: Generic DT based system [ 33.457555] unwind_backtrace from show_stack+0x18/0x1c [ 33.458326] show_stack from dump_stack_lvl+0x40/0x4c [ 33.459072] dump_stack_lvl from print_report+0x158/0x4a4 [ 33.459863] print_report from kasan_report+0x9c/0x148 [ 33.460616] kasan_report from kasan_check_range+0x94/0x1a0 [ 33.461424] kasan_check_range from memset+0x20/0x3c [ 33.462157] memset from refresh_cpu_vm_stats.constprop.0+0xcc/0x2ec [ 33.463064] refresh_cpu_vm_stats.constprop.0 from tick_nohz_idle_stop_tick+0x180/0x53c [ 33.464181] tick_nohz_idle_stop_tick from do_idle+0x264/0x354 [ 33.465029] do_idle from cpu_startup_entry+0x20/0x24 [ 33.465769] cpu_startup_entry from rest_init+0xf0/0xf4 [ 33.466528] rest_init from arch_post_acpi_subsys_init+0x0/0x18 [ 33.467397] [ 33.467644] The buggy address belongs to stack of task swapper/0/0 [ 33.468493] and is located at offset 112 in frame: [ 33.469172] refresh_cpu_vm_stats.constprop.0+0x0/0x2ec [ 33.469917] [ 33.470165] This frame has 2 objects: [ 33.470696] [32, 76) 'global_zone_diff' [ 33.470729] [112, 276) 'global_node_diff' [ 33.471294] [ 33.472095] The buggy address belongs to the physical page: [ 33.472862] page:3cd72da8 refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x41d03 [ 33.473944] flags: 0x1000(reserved|zone=0) [ 33.474565] raw: 00001000 ed741470 ed741470 00000000 00000000 00000000 ffffffff 00000001 [ 33.475656] raw: 00000000 [ 33.476050] page dumped because: kasan: bad access detected [ 33.476816] [ 33.477061] Memory state around the buggy address: [ 33.477732] c1d03c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.478630] c1d03c80: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 [ 33.479526] >c1d03d00: 00 04 f2 f2 f2 f2 00 00 00 00 00 00 f1 f1 f1 f1 [ 33.480415] ^ [ 33.481195] c1d03d80: 00 00 00 00 00 00 00 00 00 00 04 f3 f3 f3 f3 f3 [ 33.482088] c1d03e00: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.482978] ================================================================== We find the root cause of this OOB is that arm does not clear stale stack poison in the case of cpuidle. This patch refer to arch/arm64/kernel/sleep.S to resolve this issue. From cited commit [1] that explain the problem Functions which the compiler has instrumented for KASAN place poison on the stack shadow upon entry and remove this poison prior to returning. In the case of cpuidle, CPUs exit the kernel a number of levels deep in C code. Any instrumented functions on this critical path will leave portions of the stack shadow poisoned. If CPUs lose context and return to the kernel via a cold path, we restore a prior context saved in __cpu_suspend_enter are forgotten, and we never remove the poison they placed in the stack shadow area by functions calls between this and the actual exit of the kernel. Thus, (depending on stackframe layout) subsequent calls to instrumented functions may hit this stale poison, resulting in (spurious) KASAN splats to the console. To avoid this, clear any stale poison from the idle thread for a CPU prior to bringing a CPU online. From cited commit [2] Extend to check for CONFIG_KASAN_STACK [1] commit 0d97e6d8024c ("arm64: kasan: clear stale stack poison") [2] commit d56a9ef84bd0 ("kasan, arm64: unpoison stack only with CONFIG_KASAN_STACK")
AI-Powered Analysis
Technical Analysis
CVE-2024-36906 is a vulnerability identified in the Linux kernel specifically affecting ARM64 architectures. The issue arises from improper handling of stale stack poison in the Kernel Address Sanitizer (KASAN) instrumentation during CPU idle state transitions. KASAN is a memory error detector that poisons stack memory regions upon function entry and clears them upon exit to detect out-of-bounds (OOB) and use-after-free bugs. However, in the cpuidle subsystem, CPUs exit the kernel several levels deep in C code, and the normal unpoisoning process is bypassed. This leads to stale poison remaining on the stack shadow memory. When the CPU returns to the kernel via a cold path, the context restored from __cpu_suspend_enter does not clear this stale poison. Consequently, subsequent kernel functions instrumented by KASAN may incorrectly detect memory errors, causing spurious KASAN alerts and potential kernel crashes due to stack-out-of-bounds writes, as demonstrated by the OOB crash logs. The root cause is that the ARM64 kernel did not clear stale stack poison during CPU idle transitions. The fix involves patching the ARM64 kernel assembly code (arch/arm64/kernel/sleep.S) to clear stale poison from the idle thread stack before bringing CPUs online, ensuring that KASAN instrumentation does not trigger false positives or kernel instability. This vulnerability is specific to Linux kernel versions containing the affected commit and is relevant to systems running ARM64 Linux kernels with KASAN enabled, particularly with CONFIG_KASAN_STACK. No known exploits are reported in the wild, and the issue primarily causes kernel instability and false memory error reports rather than direct code execution or privilege escalation.
Potential Impact
For European organizations, the impact of CVE-2024-36906 is primarily related to system stability and reliability on ARM64-based Linux systems with KASAN enabled. While this vulnerability does not directly lead to remote code execution or privilege escalation, it can cause kernel crashes and system instability due to false-positive memory error detections. This can disrupt critical services, especially in environments relying on ARM64 servers, embedded devices, or IoT infrastructure running Linux kernels with KASAN instrumentation. Organizations using ARM64 Linux in data centers, edge computing, or industrial control systems may experience increased downtime or require additional maintenance to apply patches. The false KASAN alerts may also complicate debugging and incident response efforts, potentially delaying detection of genuine memory corruption issues. Since the vulnerability is tied to kernel internals and CPU idle state transitions, it is less likely to be exploited remotely but could affect system reliability and operational continuity in sensitive deployments.
Mitigation Recommendations
To mitigate CVE-2024-36906, European organizations should: 1) Apply the official Linux kernel patches that clear stale stack poison during CPU idle transitions, specifically those referenced in commits 0d97e6d8024c and d56a9ef84bd0. 2) Upgrade to a Linux kernel version that includes these fixes, ensuring the kernel is rebuilt with CONFIG_KASAN_STACK enabled if KASAN is used. 3) For systems where KASAN is not required in production, consider disabling KASAN to avoid this issue altogether, as KASAN is primarily a debugging tool. 4) Monitor kernel logs for KASAN-related errors or OOB crashes to detect any residual issues. 5) Test kernel updates in staging environments to verify stability before deployment. 6) For embedded or ARM64-based devices, coordinate with hardware vendors to obtain updated firmware or kernel images incorporating the fix. 7) Maintain robust backup and recovery procedures to minimize downtime in case of kernel crashes. These steps go beyond generic advice by focusing on kernel patch application, configuration management, and operational monitoring specific to ARM64 Linux systems with KASAN enabled.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-30T15:25:07.067Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9828c4522896dcbe2633
Added to database: 5/21/2025, 9:08:56 AM
Last enriched: 6/29/2025, 10:09:31 AM
Last updated: 8/1/2025, 7:12:46 AM
Views: 11
Related Threats
CVE-2025-55159: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer in tokio-rs slab
MediumCVE-2025-55161: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighCVE-2025-25235: CWE-918 Server-Side Request Forgery (SSRF) in Omnissa Secure Email Gateway
HighCVE-2025-55151: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighCVE-2025-55150: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.