CVE-2024-50066: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: mm/mremap: fix move_normal_pmd/retract_page_tables race In mremap(), move_page_tables() looks at the type of the PMD entry and the specified address range to figure out by which method the next chunk of page table entries should be moved. At that point, the mmap_lock is held in write mode, but no rmap locks are held yet. For PMD entries that point to page tables and are fully covered by the source address range, move_pgt_entry(NORMAL_PMD, ...) is called, which first takes rmap locks, then does move_normal_pmd(). move_normal_pmd() takes the necessary page table locks at source and destination, then moves an entire page table from the source to the destination. The problem is: The rmap locks, which protect against concurrent page table removal by retract_page_tables() in the THP code, are only taken after the PMD entry has been read and it has been decided how to move it. So we can race as follows (with two processes that have mappings of the same tmpfs file that is stored on a tmpfs mount with huge=advise); note that process A accesses page tables through the MM while process B does it through the file rmap: process A process B ========= ========= mremap mremap_to move_vma move_page_tables get_old_pmd alloc_new_pmd *** PREEMPT *** madvise(MADV_COLLAPSE) do_madvise madvise_walk_vmas madvise_vma_behavior madvise_collapse hpage_collapse_scan_file collapse_file retract_page_tables i_mmap_lock_read(mapping) pmdp_collapse_flush i_mmap_unlock_read(mapping) move_pgt_entry(NORMAL_PMD, ...) take_rmap_locks move_normal_pmd drop_rmap_locks When this happens, move_normal_pmd() can end up creating bogus PMD entries in the line `pmd_populate(mm, new_pmd, pmd_pgtable(pmd))`. The effect depends on arch-specific and machine-specific details; on x86, you can end up with physical page 0 mapped as a page table, which is likely exploitable for user->kernel privilege escalation. Fix the race by letting process B recheck that the PMD still points to a page table after the rmap locks have been taken. Otherwise, we bail and let the caller fall back to the PTE-level copying path, which will then bail immediately at the pmd_none() check. Bug reachability: Reaching this bug requires that you can create shmem/file THP mappings - anonymous THP uses different code that doesn't zap stuff under rmap locks. File THP is gated on an experimental config flag (CONFIG_READ_ONLY_THP_FOR_FS), so on normal distro kernels you need shmem THP to hit this bug. As far as I know, getting shmem THP normally requires that you can mount your own tmpfs with the right mount flags, which would require creating your own user+mount namespace; though I don't know if some distros maybe enable shmem THP by default or something like that. Bug impact: This issue can likely be used for user->kernel privilege escalation when it is reachable.
AI Analysis
Technical Summary
CVE-2024-50066 is a race condition vulnerability in the Linux kernel's memory management subsystem, specifically within the mremap() function that handles remapping of virtual memory areas. The vulnerability arises in the handling of huge page mappings (Transparent Huge Pages, THP) backed by tmpfs files. The core issue is a race between two processes manipulating page tables: process A performing mremap() and process B performing madvise(MADV_COLLAPSE) on the same tmpfs-backed huge page mappings. During mremap(), the kernel holds the mmap_lock in write mode but does not yet hold reverse mapping (rmap) locks when it reads the Page Middle Directory (PMD) entries to decide how to move page tables. Meanwhile, process B can concurrently retract page tables under rmap locks. Because the rmap locks are acquired only after the PMD entry is read, a race occurs where move_normal_pmd() can populate bogus PMD entries, potentially mapping physical page 0 as a page table. On x86 architectures, this can lead to a user-to-kernel privilege escalation exploit. The fix involves rechecking the PMD entry after acquiring rmap locks to ensure it still points to a page table, falling back to safer PTE-level copying if not. Exploiting this vulnerability requires the ability to create shared memory (shmem) or file-backed THP mappings on tmpfs with specific mount flags, which typically requires creating user and mount namespaces. This limits exploitability to environments where such capabilities are granted or misconfigured. The vulnerability is rated with a CVSS 3.1 score of 7.0 (High), reflecting its complexity and potential impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild.
Potential Impact
For European organizations, the impact of CVE-2024-50066 can be significant, especially for those running Linux servers or workstations with kernels vulnerable to this flaw. Successful exploitation allows local attackers with limited privileges to escalate to kernel-level privileges, potentially gaining full control over the affected system. This can lead to unauthorized access to sensitive data, disruption of services, and the ability to install persistent malware or backdoors. Organizations relying on Linux-based infrastructure for critical services, cloud environments, or container orchestration platforms may face increased risk if attackers can leverage this vulnerability to compromise host systems. The requirement for specific tmpfs mount configurations and namespace capabilities somewhat limits the attack surface, but environments that allow unprivileged user namespaces or have misconfigured tmpfs mounts could be at higher risk. Additionally, the vulnerability could be leveraged in multi-tenant environments or shared hosting scenarios common in European data centers, increasing the potential for cross-tenant attacks.
Mitigation Recommendations
1. Patch promptly: Apply the latest Linux kernel updates that include the fix for CVE-2024-50066 as soon as they become available from your distribution vendor. 2. Restrict user namespaces: Disable or restrict unprivileged user namespaces where possible, as creating the necessary tmpfs mounts with required flags often requires user+mount namespaces. 3. Harden tmpfs usage: Review and restrict the use of tmpfs mounts with huge=advise or other THP-related mount options, especially for untrusted users or containers. 4. Limit capabilities: Use Linux Security Modules (e.g., SELinux, AppArmor) or container runtime security profiles to restrict capabilities that allow mounting filesystems or manipulating memory mappings. 5. Monitor for suspicious activity: Implement monitoring for unusual madvise() calls or memory remapping operations that could indicate exploitation attempts. 6. Use kernel lockdown features: Where applicable, enable kernel lockdown modes to reduce the attack surface for privilege escalation. 7. Audit and restrict container configurations: Ensure container runtimes do not grant unnecessary privileges or capabilities that could enable exploitation of this vulnerability. 8. Educate system administrators about the risks of enabling experimental kernel features like CONFIG_READ_ONLY_THP_FOR_FS and the implications for security.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2024-50066: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: mm/mremap: fix move_normal_pmd/retract_page_tables race In mremap(), move_page_tables() looks at the type of the PMD entry and the specified address range to figure out by which method the next chunk of page table entries should be moved. At that point, the mmap_lock is held in write mode, but no rmap locks are held yet. For PMD entries that point to page tables and are fully covered by the source address range, move_pgt_entry(NORMAL_PMD, ...) is called, which first takes rmap locks, then does move_normal_pmd(). move_normal_pmd() takes the necessary page table locks at source and destination, then moves an entire page table from the source to the destination. The problem is: The rmap locks, which protect against concurrent page table removal by retract_page_tables() in the THP code, are only taken after the PMD entry has been read and it has been decided how to move it. So we can race as follows (with two processes that have mappings of the same tmpfs file that is stored on a tmpfs mount with huge=advise); note that process A accesses page tables through the MM while process B does it through the file rmap: process A process B ========= ========= mremap mremap_to move_vma move_page_tables get_old_pmd alloc_new_pmd *** PREEMPT *** madvise(MADV_COLLAPSE) do_madvise madvise_walk_vmas madvise_vma_behavior madvise_collapse hpage_collapse_scan_file collapse_file retract_page_tables i_mmap_lock_read(mapping) pmdp_collapse_flush i_mmap_unlock_read(mapping) move_pgt_entry(NORMAL_PMD, ...) take_rmap_locks move_normal_pmd drop_rmap_locks When this happens, move_normal_pmd() can end up creating bogus PMD entries in the line `pmd_populate(mm, new_pmd, pmd_pgtable(pmd))`. The effect depends on arch-specific and machine-specific details; on x86, you can end up with physical page 0 mapped as a page table, which is likely exploitable for user->kernel privilege escalation. Fix the race by letting process B recheck that the PMD still points to a page table after the rmap locks have been taken. Otherwise, we bail and let the caller fall back to the PTE-level copying path, which will then bail immediately at the pmd_none() check. Bug reachability: Reaching this bug requires that you can create shmem/file THP mappings - anonymous THP uses different code that doesn't zap stuff under rmap locks. File THP is gated on an experimental config flag (CONFIG_READ_ONLY_THP_FOR_FS), so on normal distro kernels you need shmem THP to hit this bug. As far as I know, getting shmem THP normally requires that you can mount your own tmpfs with the right mount flags, which would require creating your own user+mount namespace; though I don't know if some distros maybe enable shmem THP by default or something like that. Bug impact: This issue can likely be used for user->kernel privilege escalation when it is reachable.
AI-Powered Analysis
Technical Analysis
CVE-2024-50066 is a race condition vulnerability in the Linux kernel's memory management subsystem, specifically within the mremap() function that handles remapping of virtual memory areas. The vulnerability arises in the handling of huge page mappings (Transparent Huge Pages, THP) backed by tmpfs files. The core issue is a race between two processes manipulating page tables: process A performing mremap() and process B performing madvise(MADV_COLLAPSE) on the same tmpfs-backed huge page mappings. During mremap(), the kernel holds the mmap_lock in write mode but does not yet hold reverse mapping (rmap) locks when it reads the Page Middle Directory (PMD) entries to decide how to move page tables. Meanwhile, process B can concurrently retract page tables under rmap locks. Because the rmap locks are acquired only after the PMD entry is read, a race occurs where move_normal_pmd() can populate bogus PMD entries, potentially mapping physical page 0 as a page table. On x86 architectures, this can lead to a user-to-kernel privilege escalation exploit. The fix involves rechecking the PMD entry after acquiring rmap locks to ensure it still points to a page table, falling back to safer PTE-level copying if not. Exploiting this vulnerability requires the ability to create shared memory (shmem) or file-backed THP mappings on tmpfs with specific mount flags, which typically requires creating user and mount namespaces. This limits exploitability to environments where such capabilities are granted or misconfigured. The vulnerability is rated with a CVSS 3.1 score of 7.0 (High), reflecting its complexity and potential impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild.
Potential Impact
For European organizations, the impact of CVE-2024-50066 can be significant, especially for those running Linux servers or workstations with kernels vulnerable to this flaw. Successful exploitation allows local attackers with limited privileges to escalate to kernel-level privileges, potentially gaining full control over the affected system. This can lead to unauthorized access to sensitive data, disruption of services, and the ability to install persistent malware or backdoors. Organizations relying on Linux-based infrastructure for critical services, cloud environments, or container orchestration platforms may face increased risk if attackers can leverage this vulnerability to compromise host systems. The requirement for specific tmpfs mount configurations and namespace capabilities somewhat limits the attack surface, but environments that allow unprivileged user namespaces or have misconfigured tmpfs mounts could be at higher risk. Additionally, the vulnerability could be leveraged in multi-tenant environments or shared hosting scenarios common in European data centers, increasing the potential for cross-tenant attacks.
Mitigation Recommendations
1. Patch promptly: Apply the latest Linux kernel updates that include the fix for CVE-2024-50066 as soon as they become available from your distribution vendor. 2. Restrict user namespaces: Disable or restrict unprivileged user namespaces where possible, as creating the necessary tmpfs mounts with required flags often requires user+mount namespaces. 3. Harden tmpfs usage: Review and restrict the use of tmpfs mounts with huge=advise or other THP-related mount options, especially for untrusted users or containers. 4. Limit capabilities: Use Linux Security Modules (e.g., SELinux, AppArmor) or container runtime security profiles to restrict capabilities that allow mounting filesystems or manipulating memory mappings. 5. Monitor for suspicious activity: Implement monitoring for unusual madvise() calls or memory remapping operations that could indicate exploitation attempts. 6. Use kernel lockdown features: Where applicable, enable kernel lockdown modes to reduce the attack surface for privilege escalation. 7. Audit and restrict container configurations: Ensure container runtimes do not grant unnecessary privileges or capabilities that could enable exploitation of this vulnerability. 8. Educate system administrators about the risks of enabling experimental kernel features like CONFIG_READ_ONLY_THP_FOR_FS and the implications for security.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-10-21T19:36:19.939Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9824c4522896dcbdfe41
Added to database: 5/21/2025, 9:08:52 AM
Last enriched: 7/2/2025, 11:43:22 PM
Last updated: 8/2/2025, 12:50:26 PM
Views: 18
Related Threats
CVE-2025-8810: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-8809: SQL Injection in code-projects Online Medicine Guide
MediumCVE-2025-8808: CSV Injection in xujeff tianti 天梯
MediumCVE-2025-8807: Missing Authorization in xujeff tianti 天梯
MediumCVE-2025-8806: SQL Injection in zhilink 智互联(深圳)科技有限公司 ADP Application Developer Platform 应用开发者平台
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.