CVE-2024-50114: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Unregister redistributor for failed vCPU creation Alex reports that syzkaller has managed to trigger a use-after-free when tearing down a VM: BUG: KASAN: slab-use-after-free in kvm_put_kvm+0x300/0xe68 virt/kvm/kvm_main.c:5769 Read of size 8 at addr ffffff801c6890d0 by task syz.3.2219/10758 CPU: 3 UID: 0 PID: 10758 Comm: syz.3.2219 Not tainted 6.11.0-rc6-dirty #64 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x17c/0x1a8 arch/arm64/kernel/stacktrace.c:317 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:324 __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x94/0xc0 lib/dump_stack.c:119 print_report+0x144/0x7a4 mm/kasan/report.c:377 kasan_report+0xcc/0x128 mm/kasan/report.c:601 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381 kvm_put_kvm+0x300/0xe68 virt/kvm/kvm_main.c:5769 kvm_vm_release+0x4c/0x60 virt/kvm/kvm_main.c:1409 __fput+0x198/0x71c fs/file_table.c:422 ____fput+0x20/0x30 fs/file_table.c:450 task_work_run+0x1cc/0x23c kernel/task_work.c:228 do_notify_resume+0x144/0x1a0 include/linux/resume_user_mode.h:50 el0_svc+0x64/0x68 arch/arm64/kernel/entry-common.c:169 el0t_64_sync_handler+0x90/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 Upon closer inspection, it appears that we do not properly tear down the MMIO registration for a vCPU that fails creation late in the game, e.g. a vCPU w/ the same ID already exists in the VM. It is important to consider the context of commit that introduced this bug by moving the unregistration out of __kvm_vgic_vcpu_destroy(). That change correctly sought to avoid an srcu v. config_lock inversion by breaking up the vCPU teardown into two parts, one guarded by the config_lock. Fix the use-after-free while avoiding lock inversion by adding a special-cased unregistration to __kvm_vgic_vcpu_destroy(). This is safe because failed vCPUs are torn down outside of the config_lock.
AI Analysis
Technical Summary
CVE-2024-50114 is a high-severity use-after-free vulnerability in the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem specifically affecting the ARM64 architecture. The flaw arises during the teardown process of a virtual CPU (vCPU) when the creation of a vCPU fails late in the initialization sequence, such as when a vCPU with the same ID already exists within the virtual machine (VM). The root cause is improper handling of the MMIO (Memory-Mapped I/O) redistributor unregistration for the failed vCPU. The vulnerability was discovered through syzkaller, a kernel fuzzing tool, which triggered a slab-use-after-free error in the function kvm_put_kvm at kvm_main.c line 5769. The issue originated from a previous code refactor that moved the unregistration logic out of __kvm_vgic_vcpu_destroy() to avoid a lock inversion between srcu and config_lock. However, this change inadvertently left the MMIO redistributor registered for vCPUs that failed creation, leading to a use-after-free when the system later attempts to access freed memory. The fix involves adding a special-case unregistration within __kvm_vgic_vcpu_destroy() for failed vCPUs, ensuring safe teardown without causing lock inversion. This vulnerability impacts Linux kernel versions containing the specified commit hashes prior to the fix and affects ARM64 KVM users. The CVSS v3.1 score is 7.8, reflecting high impact on confidentiality, integrity, and availability with low attack complexity, requiring local privileges but no user interaction. No known exploits are currently in the wild, but the vulnerability could be leveraged by attackers with local access to cause kernel crashes or potentially escalate privileges through memory corruption.
Potential Impact
For European organizations, especially those utilizing ARM64-based Linux virtualized environments, this vulnerability poses a significant risk. The KVM subsystem is widely used in cloud infrastructure, data centers, and edge computing deployments. Exploitation could lead to denial of service via kernel crashes or enable privilege escalation attacks, compromising the confidentiality and integrity of sensitive data and critical systems. Organizations running ARM64 Linux kernels in virtualized environments—such as telecom providers deploying ARM-based network functions, cloud service providers offering ARM64 VM instances, or enterprises using ARM64 servers—are particularly vulnerable. The vulnerability could disrupt service availability and lead to data breaches or unauthorized access if exploited. Given the increasing adoption of ARM64 architectures in Europe for energy-efficient computing, the threat surface is expanding. The lack of known public exploits currently limits immediate risk, but the vulnerability's nature and high CVSS score warrant prompt attention to prevent future exploitation.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch for CVE-2024-50114 as soon as vendor updates are available. Until patches are applied, organizations should: 1) Restrict local access to systems running ARM64 KVM to trusted administrators only, minimizing the risk of local exploitation. 2) Monitor kernel logs for unusual KVM or vCPU teardown errors that could indicate attempted exploitation. 3) Employ kernel hardening techniques such as KASLR (Kernel Address Space Layout Randomization) and enable Kernel Page Table Isolation (KPTI) to reduce exploitation feasibility. 4) For cloud providers, isolate ARM64 VM instances and enforce strict tenant separation to limit lateral movement if a VM is compromised. 5) Conduct regular security audits and vulnerability scans focusing on kernel versions and virtualization components. 6) Engage with Linux distribution vendors and subscribe to security advisories to receive timely patch notifications. These steps go beyond generic advice by focusing on access control, monitoring, and environment-specific hardening tailored to ARM64 KVM deployments prevalent in Europe.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark, Ireland, Poland
CVE-2024-50114: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Unregister redistributor for failed vCPU creation Alex reports that syzkaller has managed to trigger a use-after-free when tearing down a VM: BUG: KASAN: slab-use-after-free in kvm_put_kvm+0x300/0xe68 virt/kvm/kvm_main.c:5769 Read of size 8 at addr ffffff801c6890d0 by task syz.3.2219/10758 CPU: 3 UID: 0 PID: 10758 Comm: syz.3.2219 Not tainted 6.11.0-rc6-dirty #64 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x17c/0x1a8 arch/arm64/kernel/stacktrace.c:317 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:324 __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x94/0xc0 lib/dump_stack.c:119 print_report+0x144/0x7a4 mm/kasan/report.c:377 kasan_report+0xcc/0x128 mm/kasan/report.c:601 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381 kvm_put_kvm+0x300/0xe68 virt/kvm/kvm_main.c:5769 kvm_vm_release+0x4c/0x60 virt/kvm/kvm_main.c:1409 __fput+0x198/0x71c fs/file_table.c:422 ____fput+0x20/0x30 fs/file_table.c:450 task_work_run+0x1cc/0x23c kernel/task_work.c:228 do_notify_resume+0x144/0x1a0 include/linux/resume_user_mode.h:50 el0_svc+0x64/0x68 arch/arm64/kernel/entry-common.c:169 el0t_64_sync_handler+0x90/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 Upon closer inspection, it appears that we do not properly tear down the MMIO registration for a vCPU that fails creation late in the game, e.g. a vCPU w/ the same ID already exists in the VM. It is important to consider the context of commit that introduced this bug by moving the unregistration out of __kvm_vgic_vcpu_destroy(). That change correctly sought to avoid an srcu v. config_lock inversion by breaking up the vCPU teardown into two parts, one guarded by the config_lock. Fix the use-after-free while avoiding lock inversion by adding a special-cased unregistration to __kvm_vgic_vcpu_destroy(). This is safe because failed vCPUs are torn down outside of the config_lock.
AI-Powered Analysis
Technical Analysis
CVE-2024-50114 is a high-severity use-after-free vulnerability in the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem specifically affecting the ARM64 architecture. The flaw arises during the teardown process of a virtual CPU (vCPU) when the creation of a vCPU fails late in the initialization sequence, such as when a vCPU with the same ID already exists within the virtual machine (VM). The root cause is improper handling of the MMIO (Memory-Mapped I/O) redistributor unregistration for the failed vCPU. The vulnerability was discovered through syzkaller, a kernel fuzzing tool, which triggered a slab-use-after-free error in the function kvm_put_kvm at kvm_main.c line 5769. The issue originated from a previous code refactor that moved the unregistration logic out of __kvm_vgic_vcpu_destroy() to avoid a lock inversion between srcu and config_lock. However, this change inadvertently left the MMIO redistributor registered for vCPUs that failed creation, leading to a use-after-free when the system later attempts to access freed memory. The fix involves adding a special-case unregistration within __kvm_vgic_vcpu_destroy() for failed vCPUs, ensuring safe teardown without causing lock inversion. This vulnerability impacts Linux kernel versions containing the specified commit hashes prior to the fix and affects ARM64 KVM users. The CVSS v3.1 score is 7.8, reflecting high impact on confidentiality, integrity, and availability with low attack complexity, requiring local privileges but no user interaction. No known exploits are currently in the wild, but the vulnerability could be leveraged by attackers with local access to cause kernel crashes or potentially escalate privileges through memory corruption.
Potential Impact
For European organizations, especially those utilizing ARM64-based Linux virtualized environments, this vulnerability poses a significant risk. The KVM subsystem is widely used in cloud infrastructure, data centers, and edge computing deployments. Exploitation could lead to denial of service via kernel crashes or enable privilege escalation attacks, compromising the confidentiality and integrity of sensitive data and critical systems. Organizations running ARM64 Linux kernels in virtualized environments—such as telecom providers deploying ARM-based network functions, cloud service providers offering ARM64 VM instances, or enterprises using ARM64 servers—are particularly vulnerable. The vulnerability could disrupt service availability and lead to data breaches or unauthorized access if exploited. Given the increasing adoption of ARM64 architectures in Europe for energy-efficient computing, the threat surface is expanding. The lack of known public exploits currently limits immediate risk, but the vulnerability's nature and high CVSS score warrant prompt attention to prevent future exploitation.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch for CVE-2024-50114 as soon as vendor updates are available. Until patches are applied, organizations should: 1) Restrict local access to systems running ARM64 KVM to trusted administrators only, minimizing the risk of local exploitation. 2) Monitor kernel logs for unusual KVM or vCPU teardown errors that could indicate attempted exploitation. 3) Employ kernel hardening techniques such as KASLR (Kernel Address Space Layout Randomization) and enable Kernel Page Table Isolation (KPTI) to reduce exploitation feasibility. 4) For cloud providers, isolate ARM64 VM instances and enforce strict tenant separation to limit lateral movement if a VM is compromised. 5) Conduct regular security audits and vulnerability scans focusing on kernel versions and virtualization components. 6) Engage with Linux distribution vendors and subscribe to security advisories to receive timely patch notifications. These steps go beyond generic advice by focusing on access control, monitoring, and environment-specific hardening tailored to ARM64 KVM deployments prevalent in Europe.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-10-21T19:36:19.947Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9825c4522896dcbdffa9
Added to database: 5/21/2025, 9:08:53 AM
Last enriched: 7/2/2025, 11:55:18 PM
Last updated: 8/8/2025, 11:50:22 PM
Views: 14
Related Threats
CVE-2025-8991: Business Logic Errors in linlinjava litemall
MediumCVE-2025-8990: SQL Injection in code-projects Online Medicine Guide
MediumCVE-2025-8940: Buffer Overflow in Tenda AC20
HighCVE-2025-8939: Buffer Overflow in Tenda AC20
HighCVE-2025-50518: n/a
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.