CVE-2024-49885: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: mm, slub: avoid zeroing kmalloc redzone Since commit 946fa0dbf2d8 ("mm/slub: extend redzone check to extra allocated kmalloc space than requested"), setting orig_size treats the wasted space (object_size - orig_size) as a redzone. However with init_on_free=1 we clear the full object->size, including the redzone. Additionally we clear the object metadata, including the stored orig_size, making it zero, which makes check_object() treat the whole object as a redzone. These issues lead to the following BUG report with "slub_debug=FUZ init_on_free=1": [ 0.000000] ============================================================================= [ 0.000000] BUG kmalloc-8 (Not tainted): kmalloc Redzone overwritten [ 0.000000] ----------------------------------------------------------------------------- [ 0.000000] [ 0.000000] 0xffff000010032858-0xffff00001003285f @offset=2136. First byte 0x0 instead of 0xcc [ 0.000000] FIX kmalloc-8: Restoring kmalloc Redzone 0xffff000010032858-0xffff00001003285f=0xcc [ 0.000000] Slab 0xfffffdffc0400c80 objects=36 used=23 fp=0xffff000010032a18 flags=0x3fffe0000000200(workingset|node=0|zone=0|lastcpupid=0x1ffff) [ 0.000000] Object 0xffff000010032858 @offset=2136 fp=0xffff0000100328c8 [ 0.000000] [ 0.000000] Redzone ffff000010032850: cc cc cc cc cc cc cc cc ........ [ 0.000000] Object ffff000010032858: cc cc cc cc cc cc cc cc ........ [ 0.000000] Redzone ffff000010032860: cc cc cc cc cc cc cc cc ........ [ 0.000000] Padding ffff0000100328b4: 00 00 00 00 00 00 00 00 00 00 00 00 ............ [ 0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.11.0-rc3-next-20240814-00004-g61844c55c3f4 #144 [ 0.000000] Hardware name: NXP i.MX95 19X19 board (DT) [ 0.000000] Call trace: [ 0.000000] dump_backtrace+0x90/0xe8 [ 0.000000] show_stack+0x18/0x24 [ 0.000000] dump_stack_lvl+0x74/0x8c [ 0.000000] dump_stack+0x18/0x24 [ 0.000000] print_trailer+0x150/0x218 [ 0.000000] check_object+0xe4/0x454 [ 0.000000] free_to_partial_list+0x2f8/0x5ec To address the issue, use orig_size to clear the used area. And restore the value of orig_size after clear the remaining area. When CONFIG_SLUB_DEBUG not defined, (get_orig_size()' directly returns s->object_size. So when using memset to init the area, the size can simply be orig_size, as orig_size returns object_size when CONFIG_SLUB_DEBUG not enabled. And orig_size can never be bigger than object_size.
AI Analysis
Technical Summary
CVE-2024-49885 is a vulnerability identified in the Linux kernel's memory management subsystem, specifically within the SLUB allocator, which is responsible for efficient kernel memory allocation. The issue arises from improper handling of the 'redzone' in kmalloc objects when the kernel is configured with SLUB debugging enabled (CONFIG_SLUB_DEBUG) and the init_on_free=1 option is set. The redzone is a protective buffer zone around allocated memory objects used to detect buffer overflows and memory corruption. Since commit 946fa0dbf2d8, the kernel treats the wasted space between the actual allocated object size and the originally requested size (orig_size) as a redzone. However, when init_on_free=1 is enabled, the entire allocated object size is zeroed out upon free, including the redzone area. Additionally, the orig_size metadata is cleared, causing the check_object() function to mistakenly treat the entire object as a redzone. This leads to kernel BUG reports indicating that the kmalloc redzone has been overwritten, which can cause system instability or crashes. The root cause is that the clearing operation does not respect the orig_size boundary, and the orig_size metadata is lost during the clearing process. The fix involves using orig_size to zero only the used portion of the object and restoring the orig_size value after clearing the remaining area. When SLUB debugging is disabled, orig_size defaults to the object size, simplifying the clearing process. This vulnerability affects Linux kernel versions containing the specified commit and can manifest during kernel memory deallocation, potentially leading to kernel panics or denial of service. There is no evidence of active exploitation in the wild at this time.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions with SLUB debugging and init_on_free enabled—configurations more common in development, testing, or specialized hardened environments rather than typical production servers. Exploitation can cause kernel crashes or instability, leading to denial of service conditions. Critical infrastructure, cloud providers, and enterprises relying on Linux-based systems for essential services could experience outages or degraded performance. Although this vulnerability does not directly lead to privilege escalation or remote code execution, the resulting system instability could be leveraged by attackers to disrupt services or as part of a multi-stage attack. The impact is more pronounced in environments where uptime and reliability are critical, such as financial institutions, healthcare providers, and industrial control systems prevalent in Europe. Furthermore, organizations employing custom kernel builds with debugging enabled may be more susceptible. Given the Linux kernel's widespread use across European industries and governments, unpatched systems could face operational risks and compliance challenges.
Mitigation Recommendations
European organizations should first identify systems running affected Linux kernel versions with SLUB debugging and init_on_free enabled. Since this configuration is not default in most production environments, verifying kernel build options is essential. The primary mitigation is to apply the official patch that corrects the zeroing behavior to respect orig_size and preserves metadata during memory deallocation. Organizations should update to the latest stable Linux kernel releases that include this fix. For systems where upgrading the kernel is not immediately feasible, disabling SLUB debugging or the init_on_free option can serve as a temporary workaround, though this may reduce debugging capabilities or memory safety checks. Additionally, organizations should implement robust kernel crash monitoring and automated recovery mechanisms to minimize downtime in case of kernel panics. Regularly auditing kernel configurations and maintaining an inventory of kernel versions and build options will help prioritize patching efforts. Finally, integrating these checks into continuous integration pipelines for custom kernel builds can prevent vulnerable configurations from deployment.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-49885: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: mm, slub: avoid zeroing kmalloc redzone Since commit 946fa0dbf2d8 ("mm/slub: extend redzone check to extra allocated kmalloc space than requested"), setting orig_size treats the wasted space (object_size - orig_size) as a redzone. However with init_on_free=1 we clear the full object->size, including the redzone. Additionally we clear the object metadata, including the stored orig_size, making it zero, which makes check_object() treat the whole object as a redzone. These issues lead to the following BUG report with "slub_debug=FUZ init_on_free=1": [ 0.000000] ============================================================================= [ 0.000000] BUG kmalloc-8 (Not tainted): kmalloc Redzone overwritten [ 0.000000] ----------------------------------------------------------------------------- [ 0.000000] [ 0.000000] 0xffff000010032858-0xffff00001003285f @offset=2136. First byte 0x0 instead of 0xcc [ 0.000000] FIX kmalloc-8: Restoring kmalloc Redzone 0xffff000010032858-0xffff00001003285f=0xcc [ 0.000000] Slab 0xfffffdffc0400c80 objects=36 used=23 fp=0xffff000010032a18 flags=0x3fffe0000000200(workingset|node=0|zone=0|lastcpupid=0x1ffff) [ 0.000000] Object 0xffff000010032858 @offset=2136 fp=0xffff0000100328c8 [ 0.000000] [ 0.000000] Redzone ffff000010032850: cc cc cc cc cc cc cc cc ........ [ 0.000000] Object ffff000010032858: cc cc cc cc cc cc cc cc ........ [ 0.000000] Redzone ffff000010032860: cc cc cc cc cc cc cc cc ........ [ 0.000000] Padding ffff0000100328b4: 00 00 00 00 00 00 00 00 00 00 00 00 ............ [ 0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.11.0-rc3-next-20240814-00004-g61844c55c3f4 #144 [ 0.000000] Hardware name: NXP i.MX95 19X19 board (DT) [ 0.000000] Call trace: [ 0.000000] dump_backtrace+0x90/0xe8 [ 0.000000] show_stack+0x18/0x24 [ 0.000000] dump_stack_lvl+0x74/0x8c [ 0.000000] dump_stack+0x18/0x24 [ 0.000000] print_trailer+0x150/0x218 [ 0.000000] check_object+0xe4/0x454 [ 0.000000] free_to_partial_list+0x2f8/0x5ec To address the issue, use orig_size to clear the used area. And restore the value of orig_size after clear the remaining area. When CONFIG_SLUB_DEBUG not defined, (get_orig_size()' directly returns s->object_size. So when using memset to init the area, the size can simply be orig_size, as orig_size returns object_size when CONFIG_SLUB_DEBUG not enabled. And orig_size can never be bigger than object_size.
AI-Powered Analysis
Technical Analysis
CVE-2024-49885 is a vulnerability identified in the Linux kernel's memory management subsystem, specifically within the SLUB allocator, which is responsible for efficient kernel memory allocation. The issue arises from improper handling of the 'redzone' in kmalloc objects when the kernel is configured with SLUB debugging enabled (CONFIG_SLUB_DEBUG) and the init_on_free=1 option is set. The redzone is a protective buffer zone around allocated memory objects used to detect buffer overflows and memory corruption. Since commit 946fa0dbf2d8, the kernel treats the wasted space between the actual allocated object size and the originally requested size (orig_size) as a redzone. However, when init_on_free=1 is enabled, the entire allocated object size is zeroed out upon free, including the redzone area. Additionally, the orig_size metadata is cleared, causing the check_object() function to mistakenly treat the entire object as a redzone. This leads to kernel BUG reports indicating that the kmalloc redzone has been overwritten, which can cause system instability or crashes. The root cause is that the clearing operation does not respect the orig_size boundary, and the orig_size metadata is lost during the clearing process. The fix involves using orig_size to zero only the used portion of the object and restoring the orig_size value after clearing the remaining area. When SLUB debugging is disabled, orig_size defaults to the object size, simplifying the clearing process. This vulnerability affects Linux kernel versions containing the specified commit and can manifest during kernel memory deallocation, potentially leading to kernel panics or denial of service. There is no evidence of active exploitation in the wild at this time.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions with SLUB debugging and init_on_free enabled—configurations more common in development, testing, or specialized hardened environments rather than typical production servers. Exploitation can cause kernel crashes or instability, leading to denial of service conditions. Critical infrastructure, cloud providers, and enterprises relying on Linux-based systems for essential services could experience outages or degraded performance. Although this vulnerability does not directly lead to privilege escalation or remote code execution, the resulting system instability could be leveraged by attackers to disrupt services or as part of a multi-stage attack. The impact is more pronounced in environments where uptime and reliability are critical, such as financial institutions, healthcare providers, and industrial control systems prevalent in Europe. Furthermore, organizations employing custom kernel builds with debugging enabled may be more susceptible. Given the Linux kernel's widespread use across European industries and governments, unpatched systems could face operational risks and compliance challenges.
Mitigation Recommendations
European organizations should first identify systems running affected Linux kernel versions with SLUB debugging and init_on_free enabled. Since this configuration is not default in most production environments, verifying kernel build options is essential. The primary mitigation is to apply the official patch that corrects the zeroing behavior to respect orig_size and preserves metadata during memory deallocation. Organizations should update to the latest stable Linux kernel releases that include this fix. For systems where upgrading the kernel is not immediately feasible, disabling SLUB debugging or the init_on_free option can serve as a temporary workaround, though this may reduce debugging capabilities or memory safety checks. Additionally, organizations should implement robust kernel crash monitoring and automated recovery mechanisms to minimize downtime in case of kernel panics. Regularly auditing kernel configurations and maintaining an inventory of kernel versions and build options will help prioritize patching efforts. Finally, integrating these checks into continuous integration pipelines for custom kernel builds can prevent vulnerable configurations from deployment.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-10-21T12:17:06.022Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9825c4522896dcbe08ab
Added to database: 5/21/2025, 9:08:53 AM
Last enriched: 6/28/2025, 9:12:08 PM
Last updated: 8/12/2025, 7:18:03 PM
Views: 13
Related Threats
CVE-2025-8567: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in posimyththemes Nexter Blocks – WordPress Gutenberg Blocks & 1000+ Starter Templates
MediumCVE-2025-41689: CWE-306 Missing Authentication for Critical Function in Wiesemann & Theis Motherbox 3
MediumCVE-2025-41685: CWE-359 Exposure of Private Personal Information to an Unauthorized Actor in SMA ennexos.sunnyportal.com
MediumCVE-2025-8723: CWE-94 Improper Control of Generation of Code ('Code Injection') in mecanik Cloudflare Image Resizing – Optimize & Accelerate Your Images
CriticalCVE-2025-8622: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in webaware Flexible Map
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.