CVE-2024-50182: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: secretmem: disable memfd_secret() if arch cannot set direct map Return -ENOSYS from memfd_secret() syscall if !can_set_direct_map(). This is the case for example on some arm64 configurations, where marking 4k PTEs in the direct map not present can only be done if the direct map is set up at 4k granularity in the first place (as ARM's break-before-make semantics do not easily allow breaking apart large/gigantic pages). More precisely, on arm64 systems with !can_set_direct_map(), set_direct_map_invalid_noflush() is a no-op, however it returns success (0) instead of an error. This means that memfd_secret will seemingly "work" (e.g. syscall succeeds, you can mmap the fd and fault in pages), but it does not actually achieve its goal of removing its memory from the direct map. Note that with this patch, memfd_secret() will start erroring on systems where can_set_direct_map() returns false (arm64 with CONFIG_RODATA_FULL_DEFAULT_ENABLED=n, CONFIG_DEBUG_PAGEALLOC=n and CONFIG_KFENCE=n), but that still seems better than the current silent failure. Since CONFIG_RODATA_FULL_DEFAULT_ENABLED defaults to 'y', most arm64 systems actually have a working memfd_secret() and aren't be affected. From going through the iterations of the original memfd_secret patch series, it seems that disabling the syscall in these scenarios was the intended behavior [1] (preferred over having set_direct_map_invalid_noflush return an error as that would result in SIGBUSes at page-fault time), however the check for it got dropped between v16 [2] and v17 [3], when secretmem moved away from CMA allocations. [1]: https://lore.kernel.org/lkml/20201124164930.GK8537@kernel.org/ [2]: https://lore.kernel.org/lkml/20210121122723.3446-11-rppt@kernel.org/#t [3]: https://lore.kernel.org/lkml/20201125092208.12544-10-rppt@kernel.org/
AI Analysis
Technical Summary
CVE-2024-50182 addresses a vulnerability in the Linux kernel's memfd_secret() syscall implementation, specifically affecting certain ARM64 configurations. The memfd_secret() syscall is designed to create memory file descriptors whose contents are removed from the kernel's direct memory map, enhancing security by preventing certain types of memory disclosure or tampering. However, on some ARM64 systems where the architecture cannot set the direct map at the required 4KB granularity (due to ARM's break-before-make semantics and large/gigantic page handling), the function set_direct_map_invalid_noflush() becomes a no-op but incorrectly returns success (0). This leads to a silent failure where memfd_secret() appears to work (the syscall succeeds, and memory can be mmap'ed and faulted in), but the memory is not actually removed from the direct map as intended. This behavior undermines the security guarantees of memfd_secret(), potentially exposing sensitive memory contents to unauthorized access or kernel-level attacks. The patch associated with this CVE changes memfd_secret() to return -ENOSYS (function not implemented) on systems where can_set_direct_map() returns false, effectively disabling the syscall in these scenarios. This approach prevents silent failures and aligns with the original intended behavior of disabling memfd_secret() when the direct map cannot be set appropriately. The affected systems are ARM64 Linux kernels configured with CONFIG_RODATA_FULL_DEFAULT_ENABLED=n, CONFIG_DEBUG_PAGEALLOC=n, and CONFIG_KFENCE=n, although most ARM64 systems have CONFIG_RODATA_FULL_DEFAULT_ENABLED=y by default and are thus not impacted. This vulnerability does not affect x86 or other architectures and is specific to certain kernel configurations on ARM64. No known exploits are reported in the wild at this time.
Potential Impact
For European organizations, the impact of CVE-2024-50182 is primarily relevant to those deploying ARM64-based Linux systems with the specific kernel configurations that disable full read-only data protection and debugging features (CONFIG_RODATA_FULL_DEFAULT_ENABLED=n, CONFIG_DEBUG_PAGEALLOC=n, CONFIG_KFENCE=n). Such systems may be found in embedded devices, ARM64 servers, or specialized infrastructure. The vulnerability could allow attackers with local access or kernel-level privileges to bypass memory protection mechanisms, potentially leading to unauthorized memory disclosure or manipulation. This could compromise confidentiality and integrity of sensitive data processed or stored in memory. However, since the vulnerability results in a silent failure rather than a direct exploit vector, and memfd_secret() is a relatively specialized syscall, the risk is somewhat limited to environments relying on this feature for security. The lack of known exploits and the requirement for specific kernel configurations reduce the immediate threat level. Nevertheless, organizations using ARM64 Linux kernels in critical infrastructure, cloud services, or embedded systems should assess their exposure, as attackers could leverage this flaw to escalate privileges or bypass memory protections if combined with other vulnerabilities.
Mitigation Recommendations
1. Upgrade affected Linux kernels to versions that include the patch disabling memfd_secret() on unsupported ARM64 configurations, ensuring the syscall returns an error rather than silently failing. 2. Audit ARM64 Linux systems to verify kernel configuration options, specifically ensuring CONFIG_RODATA_FULL_DEFAULT_ENABLED is enabled (set to 'y'), and consider enabling CONFIG_DEBUG_PAGEALLOC and CONFIG_KFENCE where feasible to enhance memory protection and debugging. 3. For systems where memfd_secret() functionality is critical, validate that the direct map can be set at 4KB granularity to avoid this issue. 4. Restrict local access to ARM64 systems to trusted users and processes to reduce the risk of exploitation. 5. Monitor kernel updates and security advisories for further developments related to memfd_secret() and ARM64 memory mapping. 6. Implement defense-in-depth strategies such as mandatory access controls (e.g., SELinux, AppArmor) and kernel hardening features to limit the impact of potential memory disclosure. 7. Conduct thorough testing after kernel upgrades to ensure memfd_secret() behaves as expected and does not silently fail.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark
CVE-2024-50182: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: secretmem: disable memfd_secret() if arch cannot set direct map Return -ENOSYS from memfd_secret() syscall if !can_set_direct_map(). This is the case for example on some arm64 configurations, where marking 4k PTEs in the direct map not present can only be done if the direct map is set up at 4k granularity in the first place (as ARM's break-before-make semantics do not easily allow breaking apart large/gigantic pages). More precisely, on arm64 systems with !can_set_direct_map(), set_direct_map_invalid_noflush() is a no-op, however it returns success (0) instead of an error. This means that memfd_secret will seemingly "work" (e.g. syscall succeeds, you can mmap the fd and fault in pages), but it does not actually achieve its goal of removing its memory from the direct map. Note that with this patch, memfd_secret() will start erroring on systems where can_set_direct_map() returns false (arm64 with CONFIG_RODATA_FULL_DEFAULT_ENABLED=n, CONFIG_DEBUG_PAGEALLOC=n and CONFIG_KFENCE=n), but that still seems better than the current silent failure. Since CONFIG_RODATA_FULL_DEFAULT_ENABLED defaults to 'y', most arm64 systems actually have a working memfd_secret() and aren't be affected. From going through the iterations of the original memfd_secret patch series, it seems that disabling the syscall in these scenarios was the intended behavior [1] (preferred over having set_direct_map_invalid_noflush return an error as that would result in SIGBUSes at page-fault time), however the check for it got dropped between v16 [2] and v17 [3], when secretmem moved away from CMA allocations. [1]: https://lore.kernel.org/lkml/20201124164930.GK8537@kernel.org/ [2]: https://lore.kernel.org/lkml/20210121122723.3446-11-rppt@kernel.org/#t [3]: https://lore.kernel.org/lkml/20201125092208.12544-10-rppt@kernel.org/
AI-Powered Analysis
Technical Analysis
CVE-2024-50182 addresses a vulnerability in the Linux kernel's memfd_secret() syscall implementation, specifically affecting certain ARM64 configurations. The memfd_secret() syscall is designed to create memory file descriptors whose contents are removed from the kernel's direct memory map, enhancing security by preventing certain types of memory disclosure or tampering. However, on some ARM64 systems where the architecture cannot set the direct map at the required 4KB granularity (due to ARM's break-before-make semantics and large/gigantic page handling), the function set_direct_map_invalid_noflush() becomes a no-op but incorrectly returns success (0). This leads to a silent failure where memfd_secret() appears to work (the syscall succeeds, and memory can be mmap'ed and faulted in), but the memory is not actually removed from the direct map as intended. This behavior undermines the security guarantees of memfd_secret(), potentially exposing sensitive memory contents to unauthorized access or kernel-level attacks. The patch associated with this CVE changes memfd_secret() to return -ENOSYS (function not implemented) on systems where can_set_direct_map() returns false, effectively disabling the syscall in these scenarios. This approach prevents silent failures and aligns with the original intended behavior of disabling memfd_secret() when the direct map cannot be set appropriately. The affected systems are ARM64 Linux kernels configured with CONFIG_RODATA_FULL_DEFAULT_ENABLED=n, CONFIG_DEBUG_PAGEALLOC=n, and CONFIG_KFENCE=n, although most ARM64 systems have CONFIG_RODATA_FULL_DEFAULT_ENABLED=y by default and are thus not impacted. This vulnerability does not affect x86 or other architectures and is specific to certain kernel configurations on ARM64. No known exploits are reported in the wild at this time.
Potential Impact
For European organizations, the impact of CVE-2024-50182 is primarily relevant to those deploying ARM64-based Linux systems with the specific kernel configurations that disable full read-only data protection and debugging features (CONFIG_RODATA_FULL_DEFAULT_ENABLED=n, CONFIG_DEBUG_PAGEALLOC=n, CONFIG_KFENCE=n). Such systems may be found in embedded devices, ARM64 servers, or specialized infrastructure. The vulnerability could allow attackers with local access or kernel-level privileges to bypass memory protection mechanisms, potentially leading to unauthorized memory disclosure or manipulation. This could compromise confidentiality and integrity of sensitive data processed or stored in memory. However, since the vulnerability results in a silent failure rather than a direct exploit vector, and memfd_secret() is a relatively specialized syscall, the risk is somewhat limited to environments relying on this feature for security. The lack of known exploits and the requirement for specific kernel configurations reduce the immediate threat level. Nevertheless, organizations using ARM64 Linux kernels in critical infrastructure, cloud services, or embedded systems should assess their exposure, as attackers could leverage this flaw to escalate privileges or bypass memory protections if combined with other vulnerabilities.
Mitigation Recommendations
1. Upgrade affected Linux kernels to versions that include the patch disabling memfd_secret() on unsupported ARM64 configurations, ensuring the syscall returns an error rather than silently failing. 2. Audit ARM64 Linux systems to verify kernel configuration options, specifically ensuring CONFIG_RODATA_FULL_DEFAULT_ENABLED is enabled (set to 'y'), and consider enabling CONFIG_DEBUG_PAGEALLOC and CONFIG_KFENCE where feasible to enhance memory protection and debugging. 3. For systems where memfd_secret() functionality is critical, validate that the direct map can be set at 4KB granularity to avoid this issue. 4. Restrict local access to ARM64 systems to trusted users and processes to reduce the risk of exploitation. 5. Monitor kernel updates and security advisories for further developments related to memfd_secret() and ARM64 memory mapping. 6. Implement defense-in-depth strategies such as mandatory access controls (e.g., SELinux, AppArmor) and kernel hardening features to limit the impact of potential memory disclosure. 7. Conduct thorough testing after kernel upgrades to ensure memfd_secret() behaves as expected and does not silently fail.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-10-21T19:36:19.965Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9823c4522896dcbdf40f
Added to database: 5/21/2025, 9:08:51 AM
Last enriched: 6/28/2025, 12:39:55 PM
Last updated: 8/15/2025, 11:30:34 AM
Views: 20
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.