CVE-2024-39474: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: mm/vmalloc: fix vmalloc which may return null if called with __GFP_NOFAIL commit a421ef303008 ("mm: allow !GFP_KERNEL allocations for kvmalloc") includes support for __GFP_NOFAIL, but it presents a conflict with commit dd544141b9eb ("vmalloc: back off when the current task is OOM-killed"). A possible scenario is as follows: process-a __vmalloc_node_range(GFP_KERNEL | __GFP_NOFAIL) __vmalloc_area_node() vm_area_alloc_pages() --> oom-killer send SIGKILL to process-a if (fatal_signal_pending(current)) break; --> return NULL; To fix this, do not check fatal_signal_pending() in vm_area_alloc_pages() if __GFP_NOFAIL set. This issue occurred during OPLUS KASAN TEST. Below is part of the log -> oom-killer sends signal to process [65731.222840] [ T1308] oom-kill:constraint=CONSTRAINT_NONE,nodemask=(null),cpuset=/,mems_allowed=0,global_oom,task_memcg=/apps/uid_10198,task=gs.intelligence,pid=32454,uid=10198 [65731.259685] [T32454] Call trace: [65731.259698] [T32454] dump_backtrace+0xf4/0x118 [65731.259734] [T32454] show_stack+0x18/0x24 [65731.259756] [T32454] dump_stack_lvl+0x60/0x7c [65731.259781] [T32454] dump_stack+0x18/0x38 [65731.259800] [T32454] mrdump_common_die+0x250/0x39c [mrdump] [65731.259936] [T32454] ipanic_die+0x20/0x34 [mrdump] [65731.260019] [T32454] atomic_notifier_call_chain+0xb4/0xfc [65731.260047] [T32454] notify_die+0x114/0x198 [65731.260073] [T32454] die+0xf4/0x5b4 [65731.260098] [T32454] die_kernel_fault+0x80/0x98 [65731.260124] [T32454] __do_kernel_fault+0x160/0x2a8 [65731.260146] [T32454] do_bad_area+0x68/0x148 [65731.260174] [T32454] do_mem_abort+0x151c/0x1b34 [65731.260204] [T32454] el1_abort+0x3c/0x5c [65731.260227] [T32454] el1h_64_sync_handler+0x54/0x90 [65731.260248] [T32454] el1h_64_sync+0x68/0x6c [65731.260269] [T32454] z_erofs_decompress_queue+0x7f0/0x2258 --> be->decompressed_pages = kvcalloc(be->nr_pages, sizeof(struct page *), GFP_KERNEL | __GFP_NOFAIL); kernel panic by NULL pointer dereference. erofs assume kvmalloc with __GFP_NOFAIL never return NULL. [65731.260293] [T32454] z_erofs_runqueue+0xf30/0x104c [65731.260314] [T32454] z_erofs_readahead+0x4f0/0x968 [65731.260339] [T32454] read_pages+0x170/0xadc [65731.260364] [T32454] page_cache_ra_unbounded+0x874/0xf30 [65731.260388] [T32454] page_cache_ra_order+0x24c/0x714 [65731.260411] [T32454] filemap_fault+0xbf0/0x1a74 [65731.260437] [T32454] __do_fault+0xd0/0x33c [65731.260462] [T32454] handle_mm_fault+0xf74/0x3fe0 [65731.260486] [T32454] do_mem_abort+0x54c/0x1b34 [65731.260509] [T32454] el0_da+0x44/0x94 [65731.260531] [T32454] el0t_64_sync_handler+0x98/0xb4 [65731.260553] [T32454] el0t_64_sync+0x198/0x19c
AI Analysis
Technical Summary
CVE-2024-39474 is a vulnerability in the Linux kernel's memory management subsystem, specifically related to the vmalloc function and its handling of the __GFP_NOFAIL flag during memory allocation. The issue arises from a conflict between two kernel commits: one that introduced support for __GFP_NOFAIL in kvmalloc allocations, and another that added a check for fatal signals (such as those sent by the Out-Of-Memory (OOM) killer) during page allocation in vm_area_alloc_pages(). Normally, when a process is OOM-killed, the kernel sets a fatal signal pending flag, causing vmalloc to return NULL to indicate allocation failure. However, the __GFP_NOFAIL flag is intended to guarantee allocation success by retrying indefinitely. The conflict means that vmalloc may incorrectly return NULL even when __GFP_NOFAIL is set, violating the assumption that allocations with this flag never fail. This can lead to NULL pointer dereferences in kernel code that assumes successful allocation, causing kernel panics and system crashes. The vulnerability was discovered during OPLUS KASAN testing and is exemplified by a kernel panic in the erofs filesystem code path, where kvcalloc is called with GFP_KERNEL | __GFP_NOFAIL flags and the returned NULL pointer is dereferenced. The fix involves modifying vm_area_alloc_pages() to skip the fatal_signal_pending() check when __GFP_NOFAIL is set, ensuring that allocations either succeed or the system handles failure appropriately without returning NULL unexpectedly. This vulnerability affects Linux kernel versions identified by the given commit hashes and is relevant to any Linux-based system using affected kernel versions. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk of system instability and denial of service due to kernel panics triggered by NULL pointer dereferences during memory allocation. Systems running affected Linux kernel versions, especially those using filesystems like erofs or relying on memory allocations with __GFP_NOFAIL, may experience unexpected crashes. This can disrupt critical services, particularly in environments with high memory pressure or constrained resources where the OOM killer is active. The impact is more pronounced for servers, cloud infrastructure, and embedded devices running Linux kernels with the vulnerable code. Confidentiality and integrity impacts are minimal since the vulnerability primarily causes availability issues through system crashes. However, availability disruptions can have cascading effects on business operations, service delivery, and compliance with European data protection regulations requiring high availability and resilience. Organizations using Linux-based infrastructure in sectors such as finance, healthcare, telecommunications, and public services should be particularly vigilant. The absence of known exploits reduces immediate risk but patching is essential to prevent potential future exploitation or accidental system failures.
Mitigation Recommendations
European organizations should promptly identify Linux systems running affected kernel versions by checking kernel commit hashes or vendor advisories. Applying the official Linux kernel patches that address this issue is the primary mitigation step. If immediate patching is not feasible, organizations should monitor system logs for OOM killer activity and kernel panics related to vmalloc or erofs filesystem operations. Reducing memory pressure by optimizing application memory usage, increasing available memory, or tuning OOM killer behavior can mitigate triggering conditions. For critical systems, consider deploying kernel live patching solutions to minimize downtime. Additionally, testing kernel updates in staging environments before production deployment is recommended to ensure stability. Organizations should also review and update incident response plans to handle potential availability incidents caused by this vulnerability. Collaboration with Linux distribution vendors for timely security updates and guidance is advised. Finally, maintaining comprehensive backups and high availability configurations can reduce the operational impact of unexpected kernel crashes.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-39474: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: mm/vmalloc: fix vmalloc which may return null if called with __GFP_NOFAIL commit a421ef303008 ("mm: allow !GFP_KERNEL allocations for kvmalloc") includes support for __GFP_NOFAIL, but it presents a conflict with commit dd544141b9eb ("vmalloc: back off when the current task is OOM-killed"). A possible scenario is as follows: process-a __vmalloc_node_range(GFP_KERNEL | __GFP_NOFAIL) __vmalloc_area_node() vm_area_alloc_pages() --> oom-killer send SIGKILL to process-a if (fatal_signal_pending(current)) break; --> return NULL; To fix this, do not check fatal_signal_pending() in vm_area_alloc_pages() if __GFP_NOFAIL set. This issue occurred during OPLUS KASAN TEST. Below is part of the log -> oom-killer sends signal to process [65731.222840] [ T1308] oom-kill:constraint=CONSTRAINT_NONE,nodemask=(null),cpuset=/,mems_allowed=0,global_oom,task_memcg=/apps/uid_10198,task=gs.intelligence,pid=32454,uid=10198 [65731.259685] [T32454] Call trace: [65731.259698] [T32454] dump_backtrace+0xf4/0x118 [65731.259734] [T32454] show_stack+0x18/0x24 [65731.259756] [T32454] dump_stack_lvl+0x60/0x7c [65731.259781] [T32454] dump_stack+0x18/0x38 [65731.259800] [T32454] mrdump_common_die+0x250/0x39c [mrdump] [65731.259936] [T32454] ipanic_die+0x20/0x34 [mrdump] [65731.260019] [T32454] atomic_notifier_call_chain+0xb4/0xfc [65731.260047] [T32454] notify_die+0x114/0x198 [65731.260073] [T32454] die+0xf4/0x5b4 [65731.260098] [T32454] die_kernel_fault+0x80/0x98 [65731.260124] [T32454] __do_kernel_fault+0x160/0x2a8 [65731.260146] [T32454] do_bad_area+0x68/0x148 [65731.260174] [T32454] do_mem_abort+0x151c/0x1b34 [65731.260204] [T32454] el1_abort+0x3c/0x5c [65731.260227] [T32454] el1h_64_sync_handler+0x54/0x90 [65731.260248] [T32454] el1h_64_sync+0x68/0x6c [65731.260269] [T32454] z_erofs_decompress_queue+0x7f0/0x2258 --> be->decompressed_pages = kvcalloc(be->nr_pages, sizeof(struct page *), GFP_KERNEL | __GFP_NOFAIL); kernel panic by NULL pointer dereference. erofs assume kvmalloc with __GFP_NOFAIL never return NULL. [65731.260293] [T32454] z_erofs_runqueue+0xf30/0x104c [65731.260314] [T32454] z_erofs_readahead+0x4f0/0x968 [65731.260339] [T32454] read_pages+0x170/0xadc [65731.260364] [T32454] page_cache_ra_unbounded+0x874/0xf30 [65731.260388] [T32454] page_cache_ra_order+0x24c/0x714 [65731.260411] [T32454] filemap_fault+0xbf0/0x1a74 [65731.260437] [T32454] __do_fault+0xd0/0x33c [65731.260462] [T32454] handle_mm_fault+0xf74/0x3fe0 [65731.260486] [T32454] do_mem_abort+0x54c/0x1b34 [65731.260509] [T32454] el0_da+0x44/0x94 [65731.260531] [T32454] el0t_64_sync_handler+0x98/0xb4 [65731.260553] [T32454] el0t_64_sync+0x198/0x19c
AI-Powered Analysis
Technical Analysis
CVE-2024-39474 is a vulnerability in the Linux kernel's memory management subsystem, specifically related to the vmalloc function and its handling of the __GFP_NOFAIL flag during memory allocation. The issue arises from a conflict between two kernel commits: one that introduced support for __GFP_NOFAIL in kvmalloc allocations, and another that added a check for fatal signals (such as those sent by the Out-Of-Memory (OOM) killer) during page allocation in vm_area_alloc_pages(). Normally, when a process is OOM-killed, the kernel sets a fatal signal pending flag, causing vmalloc to return NULL to indicate allocation failure. However, the __GFP_NOFAIL flag is intended to guarantee allocation success by retrying indefinitely. The conflict means that vmalloc may incorrectly return NULL even when __GFP_NOFAIL is set, violating the assumption that allocations with this flag never fail. This can lead to NULL pointer dereferences in kernel code that assumes successful allocation, causing kernel panics and system crashes. The vulnerability was discovered during OPLUS KASAN testing and is exemplified by a kernel panic in the erofs filesystem code path, where kvcalloc is called with GFP_KERNEL | __GFP_NOFAIL flags and the returned NULL pointer is dereferenced. The fix involves modifying vm_area_alloc_pages() to skip the fatal_signal_pending() check when __GFP_NOFAIL is set, ensuring that allocations either succeed or the system handles failure appropriately without returning NULL unexpectedly. This vulnerability affects Linux kernel versions identified by the given commit hashes and is relevant to any Linux-based system using affected kernel versions. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk of system instability and denial of service due to kernel panics triggered by NULL pointer dereferences during memory allocation. Systems running affected Linux kernel versions, especially those using filesystems like erofs or relying on memory allocations with __GFP_NOFAIL, may experience unexpected crashes. This can disrupt critical services, particularly in environments with high memory pressure or constrained resources where the OOM killer is active. The impact is more pronounced for servers, cloud infrastructure, and embedded devices running Linux kernels with the vulnerable code. Confidentiality and integrity impacts are minimal since the vulnerability primarily causes availability issues through system crashes. However, availability disruptions can have cascading effects on business operations, service delivery, and compliance with European data protection regulations requiring high availability and resilience. Organizations using Linux-based infrastructure in sectors such as finance, healthcare, telecommunications, and public services should be particularly vigilant. The absence of known exploits reduces immediate risk but patching is essential to prevent potential future exploitation or accidental system failures.
Mitigation Recommendations
European organizations should promptly identify Linux systems running affected kernel versions by checking kernel commit hashes or vendor advisories. Applying the official Linux kernel patches that address this issue is the primary mitigation step. If immediate patching is not feasible, organizations should monitor system logs for OOM killer activity and kernel panics related to vmalloc or erofs filesystem operations. Reducing memory pressure by optimizing application memory usage, increasing available memory, or tuning OOM killer behavior can mitigate triggering conditions. For critical systems, consider deploying kernel live patching solutions to minimize downtime. Additionally, testing kernel updates in staging environments before production deployment is recommended to ensure stability. Organizations should also review and update incident response plans to handle potential availability incidents caused by this vulnerability. Collaboration with Linux distribution vendors for timely security updates and guidance is advised. Finally, maintaining comprehensive backups and high availability configurations can reduce the operational impact of unexpected kernel crashes.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-06-25T14:23:23.745Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9829c4522896dcbe2cb9
Added to database: 5/21/2025, 9:08:57 AM
Last enriched: 6/29/2025, 12:40:16 PM
Last updated: 8/1/2025, 12:00:17 AM
Views: 13
Related Threats
Researcher to release exploit for full auth bypass on FortiWeb
HighCVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.