CVE-2024-50200: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: maple_tree: correct tree corruption on spanning store Patch series "maple_tree: correct tree corruption on spanning store", v3. There has been a nasty yet subtle maple tree corruption bug that appears to have been in existence since the inception of the algorithm. This bug seems far more likely to happen since commit f8d112a4e657 ("mm/mmap: avoid zeroing vma tree in mmap_region()"), which is the point at which reports started to be submitted concerning this bug. We were made definitely aware of the bug thanks to the kind efforts of Bert Karwatzki who helped enormously in my being able to track this down and identify the cause of it. The bug arises when an attempt is made to perform a spanning store across two leaf nodes, where the right leaf node is the rightmost child of the shared parent, AND the store completely consumes the right-mode node. This results in mas_wr_spanning_store() mitakenly duplicating the new and existing entries at the maximum pivot within the range, and thus maple tree corruption. The fix patch corrects this by detecting this scenario and disallowing the mistaken duplicate copy. The fix patch commit message goes into great detail as to how this occurs. This series also includes a test which reliably reproduces the issue, and asserts that the fix works correctly. Bert has kindly tested the fix and confirmed it resolved his issues. Also Mikhail Gavrilov kindly reported what appears to be precisely the same bug, which this fix should also resolve. This patch (of 2): There has been a subtle bug present in the maple tree implementation from its inception. This arises from how stores are performed - when a store occurs, it will overwrite overlapping ranges and adjust the tree as necessary to accommodate this. A range may always ultimately span two leaf nodes. In this instance we walk the two leaf nodes, determine which elements are not overwritten to the left and to the right of the start and end of the ranges respectively and then rebalance the tree to contain these entries and the newly inserted one. This kind of store is dubbed a 'spanning store' and is implemented by mas_wr_spanning_store(). In order to reach this stage, mas_store_gfp() invokes mas_wr_preallocate(), mas_wr_store_type() and mas_wr_walk() in turn to walk the tree and update the object (mas) to traverse to the location where the write should be performed, determining its store type. When a spanning store is required, this function returns false stopping at the parent node which contains the target range, and mas_wr_store_type() marks the mas->store_type as wr_spanning_store to denote this fact. When we go to perform the store in mas_wr_spanning_store(), we first determine the elements AFTER the END of the range we wish to store (that is, to the right of the entry to be inserted) - we do this by walking to the NEXT pivot in the tree (i.e. r_mas.last + 1), starting at the node we have just determined contains the range over which we intend to write. We then turn our attention to the entries to the left of the entry we are inserting, whose state is represented by l_mas, and copy these into a 'big node', which is a special node which contains enough slots to contain two leaf node's worth of data. We then copy the entry we wish to store immediately after this - the copy and the insertion of the new entry is performed by mas_store_b_node(). After this we copy the elements to the right of the end of the range which we are inserting, if we have not exceeded the length of the node (i.e. r_mas.offset <= r_mas.end). Herein lies the bug - under very specific circumstances, this logic can break and corrupt the maple tree. Consider the following tree: Height 0 Root Node / \ pivot = 0xffff / \ pivot = ULONG_MAX / ---truncated---
AI Analysis
Technical Summary
CVE-2024-50200 is a vulnerability in the Linux kernel's maple tree data structure implementation, specifically related to the handling of spanning stores across leaf nodes. The maple tree is a specialized data structure used in the Linux kernel's memory management subsystem to efficiently manage ranges of memory mappings. The vulnerability arises from a subtle bug present since the inception of the maple tree algorithm, which manifests when a spanning store operation attempts to write data that overlaps two leaf nodes, with the right leaf node being the rightmost child of the shared parent node, and the store completely consuming this rightmost node. Under these conditions, the function mas_wr_spanning_store() incorrectly duplicates entries at the maximum pivot within the range, leading to corruption of the maple tree structure. This corruption can cause unpredictable behavior in memory management, potentially leading to system instability, crashes, or security issues such as privilege escalation or denial of service. The bug became more apparent following a specific commit (f8d112a4e657) that altered how the virtual memory area (VMA) tree is zeroed during mmap_region() operations, which increased the likelihood of triggering the bug. The patch series addressing this vulnerability corrects the logic in mas_wr_spanning_store() to detect and prevent the erroneous duplication of entries, thereby preserving tree integrity. The fix also includes a reliable test case to reproduce the issue and verify the patch's effectiveness. While no known exploits are currently reported in the wild, the subtlety and longevity of the bug imply that it could be exploited under specific conditions. The vulnerability affects Linux kernel versions identified by the commit hash 54a611b605901c7d5d05b6b8f5d04a6ceb0962aa and potentially other versions containing the maple tree implementation prior to the patch. Due to the kernel's central role in system operation, this vulnerability is critical to address promptly.
Potential Impact
For European organizations, the impact of CVE-2024-50200 can be significant, especially for those relying on Linux-based infrastructure, including servers, cloud environments, embedded systems, and critical industrial control systems. The maple tree corruption can lead to kernel memory management errors, causing system crashes (denial of service), data corruption, or potentially enabling privilege escalation if exploited by a malicious actor. This could disrupt business operations, lead to data loss, or compromise sensitive information. Organizations in sectors such as finance, healthcare, telecommunications, and government, which often use Linux extensively, could face operational downtime and increased risk of targeted attacks exploiting this vulnerability. Furthermore, given the kernel's widespread use in cloud service providers and container environments, the vulnerability could affect multi-tenant environments, increasing the risk of cross-tenant attacks or service outages. The lack of known exploits currently reduces immediate risk, but the complexity and subtlety of the bug mean that sophisticated attackers could develop exploits, especially in high-value target environments.
Mitigation Recommendations
1. Immediate application of the official Linux kernel patch that corrects the maple tree spanning store logic is essential. Organizations should prioritize updating to kernel versions that include the fix or apply backported patches if using long-term support (LTS) kernels. 2. Conduct thorough testing of the patched kernel in staging environments to ensure stability and compatibility before deployment in production. 3. Monitor kernel mailing lists and vendor advisories for any emerging exploit reports or additional patches related to this vulnerability. 4. Implement kernel live patching solutions where feasible to reduce downtime and rapidly deploy fixes without full system reboots. 5. Enhance system monitoring to detect unusual kernel behavior or crashes that might indicate exploitation attempts. 6. For environments using containerization or virtualization, ensure hypervisor and container runtimes are updated and configured to minimize kernel exposure. 7. Employ strict access controls and limit user privileges to reduce the risk of local exploitation, as kernel vulnerabilities often require local access. 8. Maintain comprehensive backups and disaster recovery plans to mitigate potential data loss from system instability caused by this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-50200: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: maple_tree: correct tree corruption on spanning store Patch series "maple_tree: correct tree corruption on spanning store", v3. There has been a nasty yet subtle maple tree corruption bug that appears to have been in existence since the inception of the algorithm. This bug seems far more likely to happen since commit f8d112a4e657 ("mm/mmap: avoid zeroing vma tree in mmap_region()"), which is the point at which reports started to be submitted concerning this bug. We were made definitely aware of the bug thanks to the kind efforts of Bert Karwatzki who helped enormously in my being able to track this down and identify the cause of it. The bug arises when an attempt is made to perform a spanning store across two leaf nodes, where the right leaf node is the rightmost child of the shared parent, AND the store completely consumes the right-mode node. This results in mas_wr_spanning_store() mitakenly duplicating the new and existing entries at the maximum pivot within the range, and thus maple tree corruption. The fix patch corrects this by detecting this scenario and disallowing the mistaken duplicate copy. The fix patch commit message goes into great detail as to how this occurs. This series also includes a test which reliably reproduces the issue, and asserts that the fix works correctly. Bert has kindly tested the fix and confirmed it resolved his issues. Also Mikhail Gavrilov kindly reported what appears to be precisely the same bug, which this fix should also resolve. This patch (of 2): There has been a subtle bug present in the maple tree implementation from its inception. This arises from how stores are performed - when a store occurs, it will overwrite overlapping ranges and adjust the tree as necessary to accommodate this. A range may always ultimately span two leaf nodes. In this instance we walk the two leaf nodes, determine which elements are not overwritten to the left and to the right of the start and end of the ranges respectively and then rebalance the tree to contain these entries and the newly inserted one. This kind of store is dubbed a 'spanning store' and is implemented by mas_wr_spanning_store(). In order to reach this stage, mas_store_gfp() invokes mas_wr_preallocate(), mas_wr_store_type() and mas_wr_walk() in turn to walk the tree and update the object (mas) to traverse to the location where the write should be performed, determining its store type. When a spanning store is required, this function returns false stopping at the parent node which contains the target range, and mas_wr_store_type() marks the mas->store_type as wr_spanning_store to denote this fact. When we go to perform the store in mas_wr_spanning_store(), we first determine the elements AFTER the END of the range we wish to store (that is, to the right of the entry to be inserted) - we do this by walking to the NEXT pivot in the tree (i.e. r_mas.last + 1), starting at the node we have just determined contains the range over which we intend to write. We then turn our attention to the entries to the left of the entry we are inserting, whose state is represented by l_mas, and copy these into a 'big node', which is a special node which contains enough slots to contain two leaf node's worth of data. We then copy the entry we wish to store immediately after this - the copy and the insertion of the new entry is performed by mas_store_b_node(). After this we copy the elements to the right of the end of the range which we are inserting, if we have not exceeded the length of the node (i.e. r_mas.offset <= r_mas.end). Herein lies the bug - under very specific circumstances, this logic can break and corrupt the maple tree. Consider the following tree: Height 0 Root Node / \ pivot = 0xffff / \ pivot = ULONG_MAX / ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-50200 is a vulnerability in the Linux kernel's maple tree data structure implementation, specifically related to the handling of spanning stores across leaf nodes. The maple tree is a specialized data structure used in the Linux kernel's memory management subsystem to efficiently manage ranges of memory mappings. The vulnerability arises from a subtle bug present since the inception of the maple tree algorithm, which manifests when a spanning store operation attempts to write data that overlaps two leaf nodes, with the right leaf node being the rightmost child of the shared parent node, and the store completely consuming this rightmost node. Under these conditions, the function mas_wr_spanning_store() incorrectly duplicates entries at the maximum pivot within the range, leading to corruption of the maple tree structure. This corruption can cause unpredictable behavior in memory management, potentially leading to system instability, crashes, or security issues such as privilege escalation or denial of service. The bug became more apparent following a specific commit (f8d112a4e657) that altered how the virtual memory area (VMA) tree is zeroed during mmap_region() operations, which increased the likelihood of triggering the bug. The patch series addressing this vulnerability corrects the logic in mas_wr_spanning_store() to detect and prevent the erroneous duplication of entries, thereby preserving tree integrity. The fix also includes a reliable test case to reproduce the issue and verify the patch's effectiveness. While no known exploits are currently reported in the wild, the subtlety and longevity of the bug imply that it could be exploited under specific conditions. The vulnerability affects Linux kernel versions identified by the commit hash 54a611b605901c7d5d05b6b8f5d04a6ceb0962aa and potentially other versions containing the maple tree implementation prior to the patch. Due to the kernel's central role in system operation, this vulnerability is critical to address promptly.
Potential Impact
For European organizations, the impact of CVE-2024-50200 can be significant, especially for those relying on Linux-based infrastructure, including servers, cloud environments, embedded systems, and critical industrial control systems. The maple tree corruption can lead to kernel memory management errors, causing system crashes (denial of service), data corruption, or potentially enabling privilege escalation if exploited by a malicious actor. This could disrupt business operations, lead to data loss, or compromise sensitive information. Organizations in sectors such as finance, healthcare, telecommunications, and government, which often use Linux extensively, could face operational downtime and increased risk of targeted attacks exploiting this vulnerability. Furthermore, given the kernel's widespread use in cloud service providers and container environments, the vulnerability could affect multi-tenant environments, increasing the risk of cross-tenant attacks or service outages. The lack of known exploits currently reduces immediate risk, but the complexity and subtlety of the bug mean that sophisticated attackers could develop exploits, especially in high-value target environments.
Mitigation Recommendations
1. Immediate application of the official Linux kernel patch that corrects the maple tree spanning store logic is essential. Organizations should prioritize updating to kernel versions that include the fix or apply backported patches if using long-term support (LTS) kernels. 2. Conduct thorough testing of the patched kernel in staging environments to ensure stability and compatibility before deployment in production. 3. Monitor kernel mailing lists and vendor advisories for any emerging exploit reports or additional patches related to this vulnerability. 4. Implement kernel live patching solutions where feasible to reduce downtime and rapidly deploy fixes without full system reboots. 5. Enhance system monitoring to detect unusual kernel behavior or crashes that might indicate exploitation attempts. 6. For environments using containerization or virtualization, ensure hypervisor and container runtimes are updated and configured to minimize kernel exposure. 7. Employ strict access controls and limit user privileges to reduce the risk of local exploitation, as kernel vulnerabilities often require local access. 8. Maintain comprehensive backups and disaster recovery plans to mitigate potential data loss from system instability caused by this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-10-21T19:36:19.969Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9824c4522896dcbdf4cb
Added to database: 5/21/2025, 9:08:52 AM
Last enriched: 6/28/2025, 12:54:42 PM
Last updated: 8/3/2025, 10:16:10 PM
Views: 10
Related Threats
CVE-2025-43201: An app may be able to unexpectedly leak a user's credentials in Apple Apple Music Classical for Android
UnknownCVE-2025-8959: CWE-59: Improper Link Resolution Before File Access (Link Following) in HashiCorp Shared library
HighCVE-2025-44201
LowCVE-2025-36088: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in IBM Storage TS4500 Library
MediumCVE-2025-43490: CWE-59 Improper Link Resolution Before File Access ('Link Following') in HP, Inc. HP Hotkey Support Software
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.