CVE-2024-50275: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: arm64/sve: Discard stale CPU state when handling SVE traps The logic for handling SVE traps manipulates saved FPSIMD/SVE state incorrectly, and a race with preemption can result in a task having TIF_SVE set and TIF_FOREIGN_FPSTATE clear even though the live CPU state is stale (e.g. with SVE traps enabled). This has been observed to result in warnings from do_sve_acc() where SVE traps are not expected while TIF_SVE is set: | if (test_and_set_thread_flag(TIF_SVE)) | WARN_ON(1); /* SVE access shouldn't have trapped */ Warnings of this form have been reported intermittently, e.g. https://lore.kernel.org/linux-arm-kernel/CA+G9fYtEGe_DhY2Ms7+L7NKsLYUomGsgqpdBj+QwDLeSg=JhGg@mail.gmail.com/ https://lore.kernel.org/linux-arm-kernel/000000000000511e9a060ce5a45c@google.com/ The race can occur when the SVE trap handler is preempted before and after manipulating the saved FPSIMD/SVE state, starting and ending on the same CPU, e.g. | void do_sve_acc(unsigned long esr, struct pt_regs *regs) | { | // Trap on CPU 0 with TIF_SVE clear, SVE traps enabled | // task->fpsimd_cpu is 0. | // per_cpu_ptr(&fpsimd_last_state, 0) is task. | | ... | | // Preempted; migrated from CPU 0 to CPU 1. | // TIF_FOREIGN_FPSTATE is set. | | get_cpu_fpsimd_context(); | | if (test_and_set_thread_flag(TIF_SVE)) | WARN_ON(1); /* SVE access shouldn't have trapped */ | | sve_init_regs() { | if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) { | ... | } else { | fpsimd_to_sve(current); | current->thread.fp_type = FP_STATE_SVE; | } | } | | put_cpu_fpsimd_context(); | | // Preempted; migrated from CPU 1 to CPU 0. | // task->fpsimd_cpu is still 0 | // If per_cpu_ptr(&fpsimd_last_state, 0) is still task then: | // - Stale HW state is reused (with SVE traps enabled) | // - TIF_FOREIGN_FPSTATE is cleared | // - A return to userspace skips HW state restore | } Fix the case where the state is not live and TIF_FOREIGN_FPSTATE is set by calling fpsimd_flush_task_state() to detach from the saved CPU state. This ensures that a subsequent context switch will not reuse the stale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the new state to be reloaded from memory prior to a return to userspace.
AI Analysis
Technical Summary
CVE-2024-50275 is a vulnerability identified in the Linux kernel specifically affecting the arm64 architecture's handling of Scalable Vector Extension (SVE) traps. The vulnerability arises from a race condition during the manipulation of the saved Floating Point SIMD (FPSIMD) and SVE CPU state. When the kernel handles SVE traps, it modifies the saved CPU state to manage floating-point and vector registers. However, due to improper synchronization, a race with preemption can occur, leading to a scenario where a task's thread flags indicate it has SVE enabled (TIF_SVE set) but lacks the TIF_FOREIGN_FPSTATE flag, even though the CPU state is stale. This inconsistency can cause warnings in the kernel and potentially lead to the reuse of stale hardware state during context switches. The root cause is that the trap handler may be preempted and the task migrated across CPUs while manipulating the saved state, resulting in stale state reuse without proper refresh. The fix involves calling fpsimd_flush_task_state() when the state is not live and TIF_FOREIGN_FPSTATE is set, ensuring that the stale CPU state is detached and forcing a reload of the correct state from memory on subsequent context switches. This vulnerability is subtle and relates to low-level CPU state management in the kernel's floating-point and vector processing subsystem on arm64 platforms supporting SVE. It does not appear to have known exploits in the wild yet and lacks a CVSS score at this time.
Potential Impact
For European organizations running Linux on arm64 hardware with SVE support, this vulnerability could lead to system instability or unexpected kernel warnings due to improper CPU state handling. While no direct exploit is known, the reuse of stale CPU state could potentially be leveraged in complex attack scenarios to cause data corruption or privilege escalation, especially in multi-threaded or multi-core environments where preemption and CPU migration are common. This could affect cloud providers, data centers, and enterprises using arm64-based servers or edge devices running vulnerable Linux kernel versions. The impact on confidentiality, integrity, and availability is primarily related to integrity and availability, as stale CPU state reuse could cause incorrect computation results or kernel crashes. However, exploitation would require specific conditions including preemption and CPU migration during SVE trap handling, making it a complex attack vector. The lack of known exploits and the technical nature of the flaw suggest a moderate risk currently, but patching is important to prevent future exploitation as arm64 adoption grows in Europe.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched. Since the issue involves low-level kernel CPU state management, applying official kernel updates from trusted sources is critical. For environments where immediate patching is challenging, organizations should consider disabling SVE support if feasible, or limiting workloads that heavily rely on SVE traps until patches are applied. Monitoring kernel logs for warnings related to SVE traps (e.g., WARN_ON triggers in do_sve_acc()) can help detect attempts to trigger the race condition. Additionally, organizations should ensure that their systems are configured to minimize unnecessary preemption and CPU migration for critical workloads, which could reduce the likelihood of the race condition manifesting. Engaging with Linux distribution vendors for timely security updates and testing patches in staging environments before production deployment is recommended. Finally, maintaining robust system integrity monitoring and incident response capabilities will help detect and respond to any exploitation attempts.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Ireland
CVE-2024-50275: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: arm64/sve: Discard stale CPU state when handling SVE traps The logic for handling SVE traps manipulates saved FPSIMD/SVE state incorrectly, and a race with preemption can result in a task having TIF_SVE set and TIF_FOREIGN_FPSTATE clear even though the live CPU state is stale (e.g. with SVE traps enabled). This has been observed to result in warnings from do_sve_acc() where SVE traps are not expected while TIF_SVE is set: | if (test_and_set_thread_flag(TIF_SVE)) | WARN_ON(1); /* SVE access shouldn't have trapped */ Warnings of this form have been reported intermittently, e.g. https://lore.kernel.org/linux-arm-kernel/CA+G9fYtEGe_DhY2Ms7+L7NKsLYUomGsgqpdBj+QwDLeSg=JhGg@mail.gmail.com/ https://lore.kernel.org/linux-arm-kernel/000000000000511e9a060ce5a45c@google.com/ The race can occur when the SVE trap handler is preempted before and after manipulating the saved FPSIMD/SVE state, starting and ending on the same CPU, e.g. | void do_sve_acc(unsigned long esr, struct pt_regs *regs) | { | // Trap on CPU 0 with TIF_SVE clear, SVE traps enabled | // task->fpsimd_cpu is 0. | // per_cpu_ptr(&fpsimd_last_state, 0) is task. | | ... | | // Preempted; migrated from CPU 0 to CPU 1. | // TIF_FOREIGN_FPSTATE is set. | | get_cpu_fpsimd_context(); | | if (test_and_set_thread_flag(TIF_SVE)) | WARN_ON(1); /* SVE access shouldn't have trapped */ | | sve_init_regs() { | if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) { | ... | } else { | fpsimd_to_sve(current); | current->thread.fp_type = FP_STATE_SVE; | } | } | | put_cpu_fpsimd_context(); | | // Preempted; migrated from CPU 1 to CPU 0. | // task->fpsimd_cpu is still 0 | // If per_cpu_ptr(&fpsimd_last_state, 0) is still task then: | // - Stale HW state is reused (with SVE traps enabled) | // - TIF_FOREIGN_FPSTATE is cleared | // - A return to userspace skips HW state restore | } Fix the case where the state is not live and TIF_FOREIGN_FPSTATE is set by calling fpsimd_flush_task_state() to detach from the saved CPU state. This ensures that a subsequent context switch will not reuse the stale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the new state to be reloaded from memory prior to a return to userspace.
AI-Powered Analysis
Technical Analysis
CVE-2024-50275 is a vulnerability identified in the Linux kernel specifically affecting the arm64 architecture's handling of Scalable Vector Extension (SVE) traps. The vulnerability arises from a race condition during the manipulation of the saved Floating Point SIMD (FPSIMD) and SVE CPU state. When the kernel handles SVE traps, it modifies the saved CPU state to manage floating-point and vector registers. However, due to improper synchronization, a race with preemption can occur, leading to a scenario where a task's thread flags indicate it has SVE enabled (TIF_SVE set) but lacks the TIF_FOREIGN_FPSTATE flag, even though the CPU state is stale. This inconsistency can cause warnings in the kernel and potentially lead to the reuse of stale hardware state during context switches. The root cause is that the trap handler may be preempted and the task migrated across CPUs while manipulating the saved state, resulting in stale state reuse without proper refresh. The fix involves calling fpsimd_flush_task_state() when the state is not live and TIF_FOREIGN_FPSTATE is set, ensuring that the stale CPU state is detached and forcing a reload of the correct state from memory on subsequent context switches. This vulnerability is subtle and relates to low-level CPU state management in the kernel's floating-point and vector processing subsystem on arm64 platforms supporting SVE. It does not appear to have known exploits in the wild yet and lacks a CVSS score at this time.
Potential Impact
For European organizations running Linux on arm64 hardware with SVE support, this vulnerability could lead to system instability or unexpected kernel warnings due to improper CPU state handling. While no direct exploit is known, the reuse of stale CPU state could potentially be leveraged in complex attack scenarios to cause data corruption or privilege escalation, especially in multi-threaded or multi-core environments where preemption and CPU migration are common. This could affect cloud providers, data centers, and enterprises using arm64-based servers or edge devices running vulnerable Linux kernel versions. The impact on confidentiality, integrity, and availability is primarily related to integrity and availability, as stale CPU state reuse could cause incorrect computation results or kernel crashes. However, exploitation would require specific conditions including preemption and CPU migration during SVE trap handling, making it a complex attack vector. The lack of known exploits and the technical nature of the flaw suggest a moderate risk currently, but patching is important to prevent future exploitation as arm64 adoption grows in Europe.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched. Since the issue involves low-level kernel CPU state management, applying official kernel updates from trusted sources is critical. For environments where immediate patching is challenging, organizations should consider disabling SVE support if feasible, or limiting workloads that heavily rely on SVE traps until patches are applied. Monitoring kernel logs for warnings related to SVE traps (e.g., WARN_ON triggers in do_sve_acc()) can help detect attempts to trigger the race condition. Additionally, organizations should ensure that their systems are configured to minimize unnecessary preemption and CPU migration for critical workloads, which could reduce the likelihood of the race condition manifesting. Engaging with Linux distribution vendors for timely security updates and testing patches in staging environments before production deployment is recommended. Finally, maintaining robust system integrity monitoring and incident response capabilities will help detect and respond to any exploitation attempts.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-10-21T19:36:19.983Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9824c4522896dcbdf710
Added to database: 5/21/2025, 9:08:52 AM
Last enriched: 6/28/2025, 1:42:07 PM
Last updated: 8/17/2025, 12:14:52 PM
Views: 14
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.