CVE-2024-40949: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: mm: shmem: fix getting incorrect lruvec when replacing a shmem folio When testing shmem swapin, I encountered the warning below on my machine. The reason is that replacing an old shmem folio with a new one causes mem_cgroup_migrate() to clear the old folio's memcg data. As a result, the old folio cannot get the correct memcg's lruvec needed to remove itself from the LRU list when it is being freed. This could lead to possible serious problems, such as LRU list crashes due to holding the wrong LRU lock, and incorrect LRU statistics. To fix this issue, we can fallback to use the mem_cgroup_replace_folio() to replace the old shmem folio. [ 5241.100311] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5d9960 [ 5241.100317] head: order:4 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 5241.100319] flags: 0x17fffe0000040068(uptodate|lru|head|swapbacked|node=0|zone=2|lastcpupid=0x3ffff) [ 5241.100323] raw: 17fffe0000040068 fffffdffd6687948 fffffdffd69ae008 0000000000000000 [ 5241.100325] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 5241.100326] head: 17fffe0000040068 fffffdffd6687948 fffffdffd69ae008 0000000000000000 [ 5241.100327] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 5241.100328] head: 17fffe0000000204 fffffdffd6665801 ffffffffffffffff 0000000000000000 [ 5241.100329] head: 0000000a00000010 0000000000000000 00000000ffffffff 0000000000000000 [ 5241.100330] page dumped because: VM_WARN_ON_ONCE_FOLIO(!memcg && !mem_cgroup_disabled()) [ 5241.100338] ------------[ cut here ]------------ [ 5241.100339] WARNING: CPU: 19 PID: 78402 at include/linux/memcontrol.h:775 folio_lruvec_lock_irqsave+0x140/0x150 [...] [ 5241.100374] pc : folio_lruvec_lock_irqsave+0x140/0x150 [ 5241.100375] lr : folio_lruvec_lock_irqsave+0x138/0x150 [ 5241.100376] sp : ffff80008b38b930 [...] [ 5241.100398] Call trace: [ 5241.100399] folio_lruvec_lock_irqsave+0x140/0x150 [ 5241.100401] __page_cache_release+0x90/0x300 [ 5241.100404] __folio_put+0x50/0x108 [ 5241.100406] shmem_replace_folio+0x1b4/0x240 [ 5241.100409] shmem_swapin_folio+0x314/0x528 [ 5241.100411] shmem_get_folio_gfp+0x3b4/0x930 [ 5241.100412] shmem_fault+0x74/0x160 [ 5241.100414] __do_fault+0x40/0x218 [ 5241.100417] do_shared_fault+0x34/0x1b0 [ 5241.100419] do_fault+0x40/0x168 [ 5241.100420] handle_pte_fault+0x80/0x228 [ 5241.100422] __handle_mm_fault+0x1c4/0x440 [ 5241.100424] handle_mm_fault+0x60/0x1f0 [ 5241.100426] do_page_fault+0x120/0x488 [ 5241.100429] do_translation_fault+0x4c/0x68 [ 5241.100431] do_mem_abort+0x48/0xa0 [ 5241.100434] el0_da+0x38/0xc0 [ 5241.100436] el0t_64_sync_handler+0x68/0xc0 [ 5241.100437] el0t_64_sync+0x14c/0x150 [ 5241.100439] ---[ end trace 0000000000000000 ]--- [baolin.wang@linux.alibaba.com: remove less helpful comments, per Matthew]
AI Analysis
Technical Summary
CVE-2024-40949 is a vulnerability identified in the Linux kernel's memory management subsystem, specifically within the shared memory (shmem) implementation. The flaw arises when replacing an old shmem folio (a memory page structure) with a new one during shmem swap-in operations. The root cause is that the function mem_cgroup_migrate() clears the old folio's memory control group (memcg) data prematurely. Consequently, the old folio loses the correct memcg's least recently used vector (lruvec) information needed to properly remove itself from the LRU list upon being freed. This improper handling can lead to serious kernel-level issues such as LRU list corruption, crashes due to holding incorrect LRU locks, and inaccurate LRU statistics. The vulnerability manifests as kernel warnings and tracebacks related to folio locking and memory control group operations, potentially destabilizing the system's memory management. The fix involves using mem_cgroup_replace_folio() to correctly replace the old folio, preserving the necessary memcg data and preventing the erroneous state. This vulnerability affects Linux kernel versions identified by the given commit hashes and was publicly disclosed on July 12, 2024. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions, which are widely used in enterprise servers, cloud infrastructure, and embedded devices. Exploitation could cause kernel crashes or memory management instability, leading to denial of service (DoS) conditions. This can disrupt critical services, especially in sectors relying heavily on Linux-based infrastructure such as finance, telecommunications, government, and cloud service providers. While the vulnerability does not directly enable code execution or privilege escalation, the resulting system instability can be leveraged as part of a broader attack chain or cause significant operational downtime. Given the widespread deployment of Linux in Europe, the impact could be substantial if unpatched systems are targeted, particularly in data centers and cloud environments hosting sensitive or critical workloads.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch for CVE-2024-40949. Since the fix involves a kernel-level change, applying official kernel updates from trusted Linux distributions is essential. For environments where immediate patching is challenging, organizations should monitor kernel logs for the specific warning messages and traces described to detect potential exploitation attempts or instability. Additionally, restricting access to systems running vulnerable kernels, especially limiting untrusted user or process interactions that could trigger shmem swap-in operations, can reduce risk. Organizations should also review their memory control group configurations and ensure that kernel memory management subsystems are properly monitored and audited. Employing kernel live patching solutions where available can help mitigate risk without requiring full system reboots.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-40949: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: mm: shmem: fix getting incorrect lruvec when replacing a shmem folio When testing shmem swapin, I encountered the warning below on my machine. The reason is that replacing an old shmem folio with a new one causes mem_cgroup_migrate() to clear the old folio's memcg data. As a result, the old folio cannot get the correct memcg's lruvec needed to remove itself from the LRU list when it is being freed. This could lead to possible serious problems, such as LRU list crashes due to holding the wrong LRU lock, and incorrect LRU statistics. To fix this issue, we can fallback to use the mem_cgroup_replace_folio() to replace the old shmem folio. [ 5241.100311] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5d9960 [ 5241.100317] head: order:4 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 5241.100319] flags: 0x17fffe0000040068(uptodate|lru|head|swapbacked|node=0|zone=2|lastcpupid=0x3ffff) [ 5241.100323] raw: 17fffe0000040068 fffffdffd6687948 fffffdffd69ae008 0000000000000000 [ 5241.100325] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 5241.100326] head: 17fffe0000040068 fffffdffd6687948 fffffdffd69ae008 0000000000000000 [ 5241.100327] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 5241.100328] head: 17fffe0000000204 fffffdffd6665801 ffffffffffffffff 0000000000000000 [ 5241.100329] head: 0000000a00000010 0000000000000000 00000000ffffffff 0000000000000000 [ 5241.100330] page dumped because: VM_WARN_ON_ONCE_FOLIO(!memcg && !mem_cgroup_disabled()) [ 5241.100338] ------------[ cut here ]------------ [ 5241.100339] WARNING: CPU: 19 PID: 78402 at include/linux/memcontrol.h:775 folio_lruvec_lock_irqsave+0x140/0x150 [...] [ 5241.100374] pc : folio_lruvec_lock_irqsave+0x140/0x150 [ 5241.100375] lr : folio_lruvec_lock_irqsave+0x138/0x150 [ 5241.100376] sp : ffff80008b38b930 [...] [ 5241.100398] Call trace: [ 5241.100399] folio_lruvec_lock_irqsave+0x140/0x150 [ 5241.100401] __page_cache_release+0x90/0x300 [ 5241.100404] __folio_put+0x50/0x108 [ 5241.100406] shmem_replace_folio+0x1b4/0x240 [ 5241.100409] shmem_swapin_folio+0x314/0x528 [ 5241.100411] shmem_get_folio_gfp+0x3b4/0x930 [ 5241.100412] shmem_fault+0x74/0x160 [ 5241.100414] __do_fault+0x40/0x218 [ 5241.100417] do_shared_fault+0x34/0x1b0 [ 5241.100419] do_fault+0x40/0x168 [ 5241.100420] handle_pte_fault+0x80/0x228 [ 5241.100422] __handle_mm_fault+0x1c4/0x440 [ 5241.100424] handle_mm_fault+0x60/0x1f0 [ 5241.100426] do_page_fault+0x120/0x488 [ 5241.100429] do_translation_fault+0x4c/0x68 [ 5241.100431] do_mem_abort+0x48/0xa0 [ 5241.100434] el0_da+0x38/0xc0 [ 5241.100436] el0t_64_sync_handler+0x68/0xc0 [ 5241.100437] el0t_64_sync+0x14c/0x150 [ 5241.100439] ---[ end trace 0000000000000000 ]--- [baolin.wang@linux.alibaba.com: remove less helpful comments, per Matthew]
AI-Powered Analysis
Technical Analysis
CVE-2024-40949 is a vulnerability identified in the Linux kernel's memory management subsystem, specifically within the shared memory (shmem) implementation. The flaw arises when replacing an old shmem folio (a memory page structure) with a new one during shmem swap-in operations. The root cause is that the function mem_cgroup_migrate() clears the old folio's memory control group (memcg) data prematurely. Consequently, the old folio loses the correct memcg's least recently used vector (lruvec) information needed to properly remove itself from the LRU list upon being freed. This improper handling can lead to serious kernel-level issues such as LRU list corruption, crashes due to holding incorrect LRU locks, and inaccurate LRU statistics. The vulnerability manifests as kernel warnings and tracebacks related to folio locking and memory control group operations, potentially destabilizing the system's memory management. The fix involves using mem_cgroup_replace_folio() to correctly replace the old folio, preserving the necessary memcg data and preventing the erroneous state. This vulnerability affects Linux kernel versions identified by the given commit hashes and was publicly disclosed on July 12, 2024. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions, which are widely used in enterprise servers, cloud infrastructure, and embedded devices. Exploitation could cause kernel crashes or memory management instability, leading to denial of service (DoS) conditions. This can disrupt critical services, especially in sectors relying heavily on Linux-based infrastructure such as finance, telecommunications, government, and cloud service providers. While the vulnerability does not directly enable code execution or privilege escalation, the resulting system instability can be leveraged as part of a broader attack chain or cause significant operational downtime. Given the widespread deployment of Linux in Europe, the impact could be substantial if unpatched systems are targeted, particularly in data centers and cloud environments hosting sensitive or critical workloads.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch for CVE-2024-40949. Since the fix involves a kernel-level change, applying official kernel updates from trusted Linux distributions is essential. For environments where immediate patching is challenging, organizations should monitor kernel logs for the specific warning messages and traces described to detect potential exploitation attempts or instability. Additionally, restricting access to systems running vulnerable kernels, especially limiting untrusted user or process interactions that could trigger shmem swap-in operations, can reduce risk. Organizations should also review their memory control group configurations and ensure that kernel memory management subsystems are properly monitored and audited. Employing kernel live patching solutions where available can help mitigate risk without requiring full system reboots.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-12T12:17:45.591Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9827c4522896dcbe1475
Added to database: 5/21/2025, 9:08:55 AM
Last enriched: 6/29/2025, 2:40:18 AM
Last updated: 8/15/2025, 7:42:00 AM
Views: 15
Related Threats
CVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.