CVE-2024-47745 is a security vulnerability identified in the Linux kernel related to the handling of memory mapping permissions in the remap_file_pages() system call. Specifically, the vulnerability arises because remap_file_pages() calls do_mmap() directly without invoking the Linux Security Module (LSM) hook security_mmap_file(), which is responsible for enforcing security policies such as those implemented by SELinux. When a process sets its personality flag to READ_IMPLIES_EXEC and then calls remap_file_pages() on read-write (RW) pages, the pages can be remapped with read-write-execute (RWX) permissions. This effectively bypasses the W^X (write xor execute) policy enforced by SELinux, which is designed to prevent memory regions from being simultaneously writable and executable, a critical mitigation against code injection and exploitation techniques. The vulnerability is reminiscent of CVE-2016-10044, which involved a similar bypass via asynchronous I/O (AIO). The provided proof-of-concept (PoC) demonstrates how an attacker can create a memory region with RWX permissions despite W^X enforcement by manipulating personality flags and remapping file pages. This vulnerability affects Linux kernel versions identified by the commit hash 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and likely other versions prior to the patch. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The core issue is a missing security check in remap_file_pages(), allowing privilege escalation or code execution in contexts where SELinux policies are expected to prevent such behavior.

For European organizations, this vulnerability poses a significant risk, especially for those relying on SELinux for enforcing strict memory protection policies on Linux-based servers and infrastructure. The ability to bypass W^X policies can allow attackers to execute arbitrary code in memory regions that should be non-executable, facilitating exploitation of other vulnerabilities or direct privilege escalation. This can compromise confidentiality, integrity, and availability of critical systems. Organizations running sensitive workloads, such as financial services, government, healthcare, and critical infrastructure, which often deploy SELinux for enhanced security, are particularly at risk. The vulnerability could be exploited by local attackers or malicious insiders who have the ability to execute code on affected systems, or potentially by remote attackers if combined with other vulnerabilities. The lack of user interaction requirement and the direct kernel-level nature of the flaw increase the severity. While no active exploitation is reported, the presence of a PoC indicates that weaponization is feasible, raising the urgency for mitigation.

European organizations should prioritize patching Linux kernels to versions where this vulnerability is fixed, ensuring that remap_file_pages() properly invokes the security_mmap_file() LSM hook. Until patches are applied, organizations should: 1) Audit and restrict the use of the personality syscall, especially the READ_IMPLIES_EXEC flag, limiting it to trusted applications only. 2) Monitor system calls related to remap_file_pages and personality changes using kernel auditing tools (e.g., auditd) to detect suspicious activity. 3) Employ additional runtime protections such as SELinux targeted policies with enhanced logging and enforcement modes to detect anomalous memory mappings. 4) Restrict access to memfd_create and related syscalls to minimize the attack surface. 5) Conduct thorough code reviews and vulnerability assessments on custom or third-party software that may invoke these syscalls. 6) Implement defense-in-depth strategies including mandatory access controls, application whitelisting, and kernel hardening features like lockdown mode where applicable. 7) Educate system administrators and security teams about this vulnerability and the importance of timely kernel updates.