CVE-2024-53105: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: mm: page_alloc: move mlocked flag clearance into free_pages_prepare() Syzbot reported a bad page state problem caused by a page being freed using free_page() still having a mlocked flag at free_pages_prepare() stage: BUG: Bad page state in process syz.5.504 pfn:61f45 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x61f45 flags: 0xfff00000080204(referenced|workingset|mlocked|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000080204 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x400dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO), pid 8443, tgid 8442 (syz.5.504), ts 201884660643, free_ts 201499827394 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x303f/0x3190 mm/page_alloc.c:3457 __alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4733 alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265 kvm_coalesced_mmio_init+0x1f/0xf0 virt/kvm/coalesced_mmio.c:99 kvm_create_vm virt/kvm/kvm_main.c:1235 [inline] kvm_dev_ioctl_create_vm virt/kvm/kvm_main.c:5488 [inline] kvm_dev_ioctl+0x12dc/0x2240 virt/kvm/kvm_main.c:5530 __do_compat_sys_ioctl fs/ioctl.c:1007 [inline] __se_compat_sys_ioctl+0x510/0xc90 fs/ioctl.c:950 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0xb4/0x110 arch/x86/entry/common.c:386 do_fast_syscall_32+0x34/0x80 arch/x86/entry/common.c:411 entry_SYSENTER_compat_after_hwframe+0x84/0x8e page last free pid 8399 tgid 8399 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_folios+0xf12/0x18d0 mm/page_alloc.c:2686 folios_put_refs+0x76c/0x860 mm/swap.c:1007 free_pages_and_swap_cache+0x5c8/0x690 mm/swap_state.c:335 __tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline] tlb_batch_pages_flush mm/mmu_gather.c:149 [inline] tlb_flush_mmu_free mm/mmu_gather.c:366 [inline] tlb_flush_mmu+0x3a3/0x680 mm/mmu_gather.c:373 tlb_finish_mmu+0xd4/0x200 mm/mmu_gather.c:465 exit_mmap+0x496/0xc40 mm/mmap.c:1926 __mmput+0x115/0x390 kernel/fork.c:1348 exit_mm+0x220/0x310 kernel/exit.c:571 do_exit+0x9b2/0x28e0 kernel/exit.c:926 do_group_exit+0x207/0x2c0 kernel/exit.c:1088 __do_sys_exit_group kernel/exit.c:1099 [inline] __se_sys_exit_group kernel/exit.c:1097 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097 x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Modules linked in: CPU: 0 UID: 0 PID: 8442 Comm: syz.5.504 Not tainted 6.12.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 bad_page+0x176/0x1d0 mm/page_alloc.c:501 free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0xed0/0xf20 mm/page_alloc.c:2638 kvm_destroy_vm virt/kvm/kvm_main.c:1327 [inline] kvm_put_kvm+0xc75/0x1350 virt/kvm/kvm_main.c:1386 kvm_vcpu_release+0x54/0x60 virt/kvm/kvm_main.c:4143 __fput+0x23f/0x880 fs/file_table.c:431 task_work_run+0x24f/0x310 kernel/task_work.c:239 exit_task_work include/linux/task_work.h:43 [inline] do_exit+0xa2f/0x28e0 kernel/exit.c:939 do_group_exit+0x207/0x2c0 kernel/exit.c:1088 __do_sys_exit_group kernel/exit.c:1099 [in ---truncated---
AI Analysis
Technical Summary
CVE-2024-53105 is a vulnerability identified in the Linux kernel's memory management subsystem, specifically related to the handling of mlocked pages during page freeing operations. The issue arises because the mlocked flag clearance was not properly moved into the free_pages_prepare() function, leading to a scenario where a page could be freed while still marked as mlocked. This causes a 'bad page state' error, as detected by Syzbot, a kernel fuzzing tool. The vulnerability manifests as a kernel BUG triggered by freeing a page with the mlocked flag still set, which violates internal kernel consistency checks (PAGE_FLAGS_CHECK_AT_FREE). The detailed kernel stack traces indicate that the problem occurs during page allocation and freeing routines, particularly involving the functions free_pages_prepare(), free_unref_folios(), and related memory management code paths. The vulnerability affects Linux kernel version 6.12.0-rc6 and potentially other versions with similar memory management code. It is triggered in contexts involving kernel virtual machine (KVM) operations, as evidenced by the stack trace referencing kvm_create_vm and kvm_destroy_vm functions. The root cause is a race or logic error in clearing the mlocked flag during page freeing, which can lead to kernel instability or crashes due to corrupted page state. No known exploits are reported in the wild yet, and no CVSS score has been assigned. The vulnerability was publicly disclosed on December 2, 2024, and is considered a kernel-level memory management bug that could impact system stability and security.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions, especially those utilizing KVM virtualization technology. The impact includes potential kernel panics or system crashes, leading to denial of service (DoS) conditions. In environments where Linux hosts critical infrastructure, cloud services, or virtualized workloads, such instability can disrupt business operations, cause data loss, or degrade service availability. Although no direct remote code execution or privilege escalation is indicated, the kernel crash could be leveraged by attackers to cause persistent denial of service or to facilitate further attacks by destabilizing the system. Organizations relying on Linux-based servers, particularly those running on Google Cloud Platform (as the hardware trace indicates Google Compute Engine), may face operational disruptions. The vulnerability affects confidentiality and availability due to system crashes and potential data corruption. Given the kernel-level nature, the impact scope is broad across Linux distributions using the affected kernel versions. European sectors with high reliance on Linux virtualization, such as finance, telecommunications, and cloud service providers, are particularly at risk.
Mitigation Recommendations
1. Immediate patching: Apply the official Linux kernel patches that address the mlocked flag clearance issue in free_pages_prepare(). Monitor Linux kernel mailing lists and vendor advisories for updated stable kernel releases incorporating this fix. 2. Kernel version management: Avoid deploying or running vulnerable kernel versions (e.g., 6.12.0-rc6) in production environments until patched. Use Long Term Support (LTS) kernels where possible. 3. Virtualization hardening: For systems using KVM, consider isolating critical workloads and limiting exposure to untrusted guests or processes that might trigger the vulnerability. 4. Monitoring and alerting: Implement kernel crash monitoring and alerting to detect early signs of this vulnerability being triggered. 5. Controlled testing: Conduct controlled testing of the patch in staging environments to ensure stability before production rollout. 6. Limit privileged access: Restrict access to kernel-level operations and KVM device interfaces to trusted administrators to reduce risk of exploitation. 7. Backup and recovery: Maintain up-to-date backups and recovery plans to mitigate impact of potential system crashes caused by this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Ireland, Belgium
CVE-2024-53105: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: mm: page_alloc: move mlocked flag clearance into free_pages_prepare() Syzbot reported a bad page state problem caused by a page being freed using free_page() still having a mlocked flag at free_pages_prepare() stage: BUG: Bad page state in process syz.5.504 pfn:61f45 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x61f45 flags: 0xfff00000080204(referenced|workingset|mlocked|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000080204 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x400dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO), pid 8443, tgid 8442 (syz.5.504), ts 201884660643, free_ts 201499827394 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x303f/0x3190 mm/page_alloc.c:3457 __alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4733 alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265 kvm_coalesced_mmio_init+0x1f/0xf0 virt/kvm/coalesced_mmio.c:99 kvm_create_vm virt/kvm/kvm_main.c:1235 [inline] kvm_dev_ioctl_create_vm virt/kvm/kvm_main.c:5488 [inline] kvm_dev_ioctl+0x12dc/0x2240 virt/kvm/kvm_main.c:5530 __do_compat_sys_ioctl fs/ioctl.c:1007 [inline] __se_compat_sys_ioctl+0x510/0xc90 fs/ioctl.c:950 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0xb4/0x110 arch/x86/entry/common.c:386 do_fast_syscall_32+0x34/0x80 arch/x86/entry/common.c:411 entry_SYSENTER_compat_after_hwframe+0x84/0x8e page last free pid 8399 tgid 8399 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_folios+0xf12/0x18d0 mm/page_alloc.c:2686 folios_put_refs+0x76c/0x860 mm/swap.c:1007 free_pages_and_swap_cache+0x5c8/0x690 mm/swap_state.c:335 __tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline] tlb_batch_pages_flush mm/mmu_gather.c:149 [inline] tlb_flush_mmu_free mm/mmu_gather.c:366 [inline] tlb_flush_mmu+0x3a3/0x680 mm/mmu_gather.c:373 tlb_finish_mmu+0xd4/0x200 mm/mmu_gather.c:465 exit_mmap+0x496/0xc40 mm/mmap.c:1926 __mmput+0x115/0x390 kernel/fork.c:1348 exit_mm+0x220/0x310 kernel/exit.c:571 do_exit+0x9b2/0x28e0 kernel/exit.c:926 do_group_exit+0x207/0x2c0 kernel/exit.c:1088 __do_sys_exit_group kernel/exit.c:1099 [inline] __se_sys_exit_group kernel/exit.c:1097 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097 x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Modules linked in: CPU: 0 UID: 0 PID: 8442 Comm: syz.5.504 Not tainted 6.12.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 bad_page+0x176/0x1d0 mm/page_alloc.c:501 free_page_is_bad mm/page_alloc.c:918 [inline] free_pages_prepare mm/page_alloc.c:1100 [inline] free_unref_page+0xed0/0xf20 mm/page_alloc.c:2638 kvm_destroy_vm virt/kvm/kvm_main.c:1327 [inline] kvm_put_kvm+0xc75/0x1350 virt/kvm/kvm_main.c:1386 kvm_vcpu_release+0x54/0x60 virt/kvm/kvm_main.c:4143 __fput+0x23f/0x880 fs/file_table.c:431 task_work_run+0x24f/0x310 kernel/task_work.c:239 exit_task_work include/linux/task_work.h:43 [inline] do_exit+0xa2f/0x28e0 kernel/exit.c:939 do_group_exit+0x207/0x2c0 kernel/exit.c:1088 __do_sys_exit_group kernel/exit.c:1099 [in ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-53105 is a vulnerability identified in the Linux kernel's memory management subsystem, specifically related to the handling of mlocked pages during page freeing operations. The issue arises because the mlocked flag clearance was not properly moved into the free_pages_prepare() function, leading to a scenario where a page could be freed while still marked as mlocked. This causes a 'bad page state' error, as detected by Syzbot, a kernel fuzzing tool. The vulnerability manifests as a kernel BUG triggered by freeing a page with the mlocked flag still set, which violates internal kernel consistency checks (PAGE_FLAGS_CHECK_AT_FREE). The detailed kernel stack traces indicate that the problem occurs during page allocation and freeing routines, particularly involving the functions free_pages_prepare(), free_unref_folios(), and related memory management code paths. The vulnerability affects Linux kernel version 6.12.0-rc6 and potentially other versions with similar memory management code. It is triggered in contexts involving kernel virtual machine (KVM) operations, as evidenced by the stack trace referencing kvm_create_vm and kvm_destroy_vm functions. The root cause is a race or logic error in clearing the mlocked flag during page freeing, which can lead to kernel instability or crashes due to corrupted page state. No known exploits are reported in the wild yet, and no CVSS score has been assigned. The vulnerability was publicly disclosed on December 2, 2024, and is considered a kernel-level memory management bug that could impact system stability and security.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions, especially those utilizing KVM virtualization technology. The impact includes potential kernel panics or system crashes, leading to denial of service (DoS) conditions. In environments where Linux hosts critical infrastructure, cloud services, or virtualized workloads, such instability can disrupt business operations, cause data loss, or degrade service availability. Although no direct remote code execution or privilege escalation is indicated, the kernel crash could be leveraged by attackers to cause persistent denial of service or to facilitate further attacks by destabilizing the system. Organizations relying on Linux-based servers, particularly those running on Google Cloud Platform (as the hardware trace indicates Google Compute Engine), may face operational disruptions. The vulnerability affects confidentiality and availability due to system crashes and potential data corruption. Given the kernel-level nature, the impact scope is broad across Linux distributions using the affected kernel versions. European sectors with high reliance on Linux virtualization, such as finance, telecommunications, and cloud service providers, are particularly at risk.
Mitigation Recommendations
1. Immediate patching: Apply the official Linux kernel patches that address the mlocked flag clearance issue in free_pages_prepare(). Monitor Linux kernel mailing lists and vendor advisories for updated stable kernel releases incorporating this fix. 2. Kernel version management: Avoid deploying or running vulnerable kernel versions (e.g., 6.12.0-rc6) in production environments until patched. Use Long Term Support (LTS) kernels where possible. 3. Virtualization hardening: For systems using KVM, consider isolating critical workloads and limiting exposure to untrusted guests or processes that might trigger the vulnerability. 4. Monitoring and alerting: Implement kernel crash monitoring and alerting to detect early signs of this vulnerability being triggered. 5. Controlled testing: Conduct controlled testing of the patch in staging environments to ensure stability before production rollout. 6. Limit privileged access: Restrict access to kernel-level operations and KVM device interfaces to trusted administrators to reduce risk of exploitation. 7. Backup and recovery: Maintain up-to-date backups and recovery plans to mitigate impact of potential system crashes caused by this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-11-19T17:17:24.992Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9824c4522896dcbdf9ce
Added to database: 5/21/2025, 9:08:52 AM
Last enriched: 6/28/2025, 2:56:27 PM
Last updated: 8/3/2025, 6:30:34 AM
Views: 13
Related Threats
CVE-2025-8959: CWE-59: Improper Link Resolution Before File Access (Link Following) in HashiCorp Shared library
HighCVE-2025-44201
LowCVE-2025-36088: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in IBM Storage TS4500 Library
MediumCVE-2025-43490: CWE-59 Improper Link Resolution Before File Access ('Link Following') in HP, Inc. HP Hotkey Support Software
MediumCVE-2025-9060: CWE-20 Improper Input Validation in MSoft MFlash
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.