CVE-2024-49873: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: mm/filemap: fix filemap_get_folios_contig THP panic Patch series "memfd-pin huge page fixes". Fix multiple bugs that occur when using memfd_pin_folios with hugetlb pages and THP. The hugetlb bugs only bite when the page is not yet faulted in when memfd_pin_folios is called. The THP bug bites when the starting offset passed to memfd_pin_folios is not huge page aligned. See the commit messages for details. This patch (of 5): memfd_pin_folios on memory backed by THP panics if the requested start offset is not huge page aligned: BUG: kernel NULL pointer dereference, address: 0000000000000036 RIP: 0010:filemap_get_folios_contig+0xdf/0x290 RSP: 0018:ffffc9002092fbe8 EFLAGS: 00010202 RAX: 0000000000000002 RBX: 0000000000000002 RCX: 0000000000000002 The fault occurs here, because xas_load returns a folio with value 2: filemap_get_folios_contig() for (folio = xas_load(&xas); folio && xas.xa_index <= end; folio = xas_next(&xas)) { ... if (!folio_try_get(folio)) <-- BOOM "2" is an xarray sibling entry. We get it because memfd_pin_folios does not round the indices passed to filemap_get_folios_contig to huge page boundaries for THP, so we load from the middle of a huge page range see a sibling. (It does round for hugetlbfs, at the is_file_hugepages test). To fix, if the folio is a sibling, then return the next index as the starting point for the next call to filemap_get_folios_contig.
AI Analysis
Technical Summary
CVE-2024-49873 is a vulnerability identified in the Linux kernel related to the handling of Transparent Huge Pages (THP) in the memory management subsystem, specifically within the memfd_pin_folios function and its interaction with huge page mappings. The vulnerability arises due to improper alignment checks when memfd_pin_folios is called with a starting offset that is not aligned to huge page boundaries. This misalignment causes the function filemap_get_folios_contig to access an xarray sibling entry instead of a valid folio, leading to a NULL pointer dereference and kernel panic. The root cause is that memfd_pin_folios does not round indices to huge page boundaries for THP, unlike its behavior for hugetlbfs, resulting in attempts to pin memory pages from the middle of a huge page range. The panic occurs when the function tries to increment the reference count on a folio that is actually an xarray sibling entry (represented by the value 2), which is invalid. The patch fixes this by detecting sibling entries and adjusting the starting index for subsequent calls to avoid dereferencing invalid pointers. Although this vulnerability causes a denial of service (kernel panic), it does not appear to allow privilege escalation or arbitrary code execution. It is triggered under specific conditions involving memory-backed by THP and unaligned offsets passed to memfd_pin_folios, which may be less common in typical workloads but could be exploited by malicious local users or processes that can invoke this kernel functionality. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, the primary impact of CVE-2024-49873 is the potential for denial of service on Linux systems utilizing Transparent Huge Pages, especially in environments where memfd_pin_folios is used with unaligned offsets. This could affect servers, cloud infrastructure, and containerized environments running Linux kernels vulnerable to this issue. The kernel panic caused by this vulnerability can lead to system crashes, service interruptions, and potential data loss if critical processes are terminated unexpectedly. Organizations relying on Linux for critical infrastructure, including financial institutions, telecommunications, and public sector entities, could experience operational disruptions. While the vulnerability does not directly lead to data breaches or privilege escalation, the availability impact alone can have significant consequences, especially in high-availability environments. Additionally, recovery from kernel panics may require manual intervention or automated failover mechanisms, which may not always be seamless. Given the widespread use of Linux across European data centers and cloud providers, the vulnerability poses a tangible risk to service continuity if unpatched kernels are deployed.
Mitigation Recommendations
To mitigate CVE-2024-49873, organizations should prioritize applying the official Linux kernel patches that address the memfd_pin_folios alignment issue. Kernel updates from trusted Linux distributions that incorporate this fix should be deployed promptly, especially on servers handling workloads that utilize Transparent Huge Pages or memfd_pin_folios functionality. System administrators should audit their environments to identify systems running vulnerable kernel versions and schedule maintenance windows for patching. Additionally, monitoring kernel logs for signs of NULL pointer dereferences or panics related to filemap_get_folios_contig can help detect attempts to trigger this vulnerability. Where immediate patching is not feasible, temporarily disabling Transparent Huge Pages or restricting access to interfaces that invoke memfd_pin_folios may reduce exposure, though this could impact performance. Implementing robust system monitoring and automated recovery mechanisms can minimize downtime caused by unexpected kernel panics. Finally, organizations should maintain up-to-date inventories of Linux kernel versions in use and subscribe to vendor security advisories to stay informed about related vulnerabilities and patches.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2024-49873: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: mm/filemap: fix filemap_get_folios_contig THP panic Patch series "memfd-pin huge page fixes". Fix multiple bugs that occur when using memfd_pin_folios with hugetlb pages and THP. The hugetlb bugs only bite when the page is not yet faulted in when memfd_pin_folios is called. The THP bug bites when the starting offset passed to memfd_pin_folios is not huge page aligned. See the commit messages for details. This patch (of 5): memfd_pin_folios on memory backed by THP panics if the requested start offset is not huge page aligned: BUG: kernel NULL pointer dereference, address: 0000000000000036 RIP: 0010:filemap_get_folios_contig+0xdf/0x290 RSP: 0018:ffffc9002092fbe8 EFLAGS: 00010202 RAX: 0000000000000002 RBX: 0000000000000002 RCX: 0000000000000002 The fault occurs here, because xas_load returns a folio with value 2: filemap_get_folios_contig() for (folio = xas_load(&xas); folio && xas.xa_index <= end; folio = xas_next(&xas)) { ... if (!folio_try_get(folio)) <-- BOOM "2" is an xarray sibling entry. We get it because memfd_pin_folios does not round the indices passed to filemap_get_folios_contig to huge page boundaries for THP, so we load from the middle of a huge page range see a sibling. (It does round for hugetlbfs, at the is_file_hugepages test). To fix, if the folio is a sibling, then return the next index as the starting point for the next call to filemap_get_folios_contig.
AI-Powered Analysis
Technical Analysis
CVE-2024-49873 is a vulnerability identified in the Linux kernel related to the handling of Transparent Huge Pages (THP) in the memory management subsystem, specifically within the memfd_pin_folios function and its interaction with huge page mappings. The vulnerability arises due to improper alignment checks when memfd_pin_folios is called with a starting offset that is not aligned to huge page boundaries. This misalignment causes the function filemap_get_folios_contig to access an xarray sibling entry instead of a valid folio, leading to a NULL pointer dereference and kernel panic. The root cause is that memfd_pin_folios does not round indices to huge page boundaries for THP, unlike its behavior for hugetlbfs, resulting in attempts to pin memory pages from the middle of a huge page range. The panic occurs when the function tries to increment the reference count on a folio that is actually an xarray sibling entry (represented by the value 2), which is invalid. The patch fixes this by detecting sibling entries and adjusting the starting index for subsequent calls to avoid dereferencing invalid pointers. Although this vulnerability causes a denial of service (kernel panic), it does not appear to allow privilege escalation or arbitrary code execution. It is triggered under specific conditions involving memory-backed by THP and unaligned offsets passed to memfd_pin_folios, which may be less common in typical workloads but could be exploited by malicious local users or processes that can invoke this kernel functionality. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, the primary impact of CVE-2024-49873 is the potential for denial of service on Linux systems utilizing Transparent Huge Pages, especially in environments where memfd_pin_folios is used with unaligned offsets. This could affect servers, cloud infrastructure, and containerized environments running Linux kernels vulnerable to this issue. The kernel panic caused by this vulnerability can lead to system crashes, service interruptions, and potential data loss if critical processes are terminated unexpectedly. Organizations relying on Linux for critical infrastructure, including financial institutions, telecommunications, and public sector entities, could experience operational disruptions. While the vulnerability does not directly lead to data breaches or privilege escalation, the availability impact alone can have significant consequences, especially in high-availability environments. Additionally, recovery from kernel panics may require manual intervention or automated failover mechanisms, which may not always be seamless. Given the widespread use of Linux across European data centers and cloud providers, the vulnerability poses a tangible risk to service continuity if unpatched kernels are deployed.
Mitigation Recommendations
To mitigate CVE-2024-49873, organizations should prioritize applying the official Linux kernel patches that address the memfd_pin_folios alignment issue. Kernel updates from trusted Linux distributions that incorporate this fix should be deployed promptly, especially on servers handling workloads that utilize Transparent Huge Pages or memfd_pin_folios functionality. System administrators should audit their environments to identify systems running vulnerable kernel versions and schedule maintenance windows for patching. Additionally, monitoring kernel logs for signs of NULL pointer dereferences or panics related to filemap_get_folios_contig can help detect attempts to trigger this vulnerability. Where immediate patching is not feasible, temporarily disabling Transparent Huge Pages or restricting access to interfaces that invoke memfd_pin_folios may reduce exposure, though this could impact performance. Implementing robust system monitoring and automated recovery mechanisms can minimize downtime caused by unexpected kernel panics. Finally, organizations should maintain up-to-date inventories of Linux kernel versions in use and subscribe to vendor security advisories to stay informed about related vulnerabilities and patches.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-10-21T12:17:06.020Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9825c4522896dcbe084a
Added to database: 5/21/2025, 9:08:53 AM
Last enriched: 6/28/2025, 9:09:38 PM
Last updated: 8/9/2025, 12:46:27 AM
Views: 10
Related Threats
CVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.