CVE-2024-53128: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: sched/task_stack: fix object_is_on_stack() for KASAN tagged pointers When CONFIG_KASAN_SW_TAGS and CONFIG_KASAN_STACK are enabled, the object_is_on_stack() function may produce incorrect results due to the presence of tags in the obj pointer, while the stack pointer does not have tags. This discrepancy can lead to incorrect stack object detection and subsequently trigger warnings if CONFIG_DEBUG_OBJECTS is also enabled. Example of the warning: ODEBUG: object 3eff800082ea7bb0 is NOT on stack ffff800082ea0000, but annotated. ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1 at lib/debugobjects.c:557 __debug_object_init+0x330/0x364 Modules linked in: CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-rc5 #4 Hardware name: linux,dummy-virt (DT) pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __debug_object_init+0x330/0x364 lr : __debug_object_init+0x330/0x364 sp : ffff800082ea7b40 x29: ffff800082ea7b40 x28: 98ff0000c0164518 x27: 98ff0000c0164534 x26: ffff800082d93ec8 x25: 0000000000000001 x24: 1cff0000c00172a0 x23: 0000000000000000 x22: ffff800082d93ed0 x21: ffff800081a24418 x20: 3eff800082ea7bb0 x19: efff800000000000 x18: 0000000000000000 x17: 00000000000000ff x16: 0000000000000047 x15: 206b63617473206e x14: 0000000000000018 x13: ffff800082ea7780 x12: 0ffff800082ea78e x11: 0ffff800082ea790 x10: 0ffff800082ea79d x9 : 34d77febe173e800 x8 : 34d77febe173e800 x7 : 0000000000000001 x6 : 0000000000000001 x5 : feff800082ea74b8 x4 : ffff800082870a90 x3 : ffff80008018d3c4 x2 : 0000000000000001 x1 : ffff800082858810 x0 : 0000000000000050 Call trace: __debug_object_init+0x330/0x364 debug_object_init_on_stack+0x30/0x3c schedule_hrtimeout_range_clock+0xac/0x26c schedule_hrtimeout+0x1c/0x30 wait_task_inactive+0x1d4/0x25c kthread_bind_mask+0x28/0x98 init_rescuer+0x1e8/0x280 workqueue_init+0x1a0/0x3cc kernel_init_freeable+0x118/0x200 kernel_init+0x28/0x1f0 ret_from_fork+0x10/0x20 ---[ end trace 0000000000000000 ]--- ODEBUG: object 3eff800082ea7bb0 is NOT on stack ffff800082ea0000, but annotated. ------------[ cut here ]------------
AI Analysis
Technical Summary
CVE-2024-53128 is a vulnerability identified in the Linux kernel related to the handling of kernel address sanitizer (KASAN) tagged pointers within the function object_is_on_stack(). Specifically, when the kernel is configured with CONFIG_KASAN_SW_TAGS and CONFIG_KASAN_STACK enabled, the object_is_on_stack() function may incorrectly determine whether an object resides on the stack. This is due to a mismatch between tagged pointers (which include metadata tags for memory safety) and untagged stack pointers. The discrepancy causes the function to produce false negatives in stack object detection, which can trigger warnings if CONFIG_DEBUG_OBJECTS is also enabled. The warnings manifest as kernel debug messages indicating that an object is not on the stack despite being annotated, accompanied by kernel stack traces. This issue arises from the internal kernel debugging and memory safety instrumentation rather than a direct memory corruption or privilege escalation vulnerability. The problem affects Linux kernel versions containing the specified commit hashes, and it has been resolved by fixing the object_is_on_stack() logic to correctly handle tagged pointers. There are no known exploits in the wild, and no CVSS score has been assigned to this vulnerability as of the publication date.
Potential Impact
The impact of CVE-2024-53128 is primarily on kernel debugging and memory safety instrumentation rather than on direct security properties such as confidentiality, integrity, or availability. The incorrect detection of stack objects can lead to spurious kernel warnings and debug messages, which may complicate kernel debugging and development efforts. For production systems, this may result in noisy logs or potential false alarms but does not directly enable privilege escalation, code execution, or denial of service. However, in environments where kernel debugging and KASAN are actively used—such as development, testing, or security research—this flaw could hinder accurate memory safety analysis and debugging. For European organizations relying on Linux-based infrastructure, particularly those using advanced kernel debugging features or custom kernel builds with KASAN enabled, this could delay vulnerability detection or complicate incident response. The vulnerability does not appear to affect standard production deployments without these debugging configurations enabled, thus limiting its broader operational impact.
Mitigation Recommendations
To mitigate CVE-2024-53128, organizations should apply the official Linux kernel patch that corrects the object_is_on_stack() function to properly handle KASAN tagged pointers. This involves updating to a kernel version that includes the fix or backporting the patch to existing kernels if feasible. Since the vulnerability is tied to specific kernel configurations (CONFIG_KASAN_SW_TAGS and CONFIG_KASAN_STACK), disabling these options in production environments where kernel debugging is not required can also avoid the issue. Additionally, ensuring that CONFIG_DEBUG_OBJECTS is disabled in production kernels will prevent the triggering of the debug warnings related to this flaw. For development and testing environments where KASAN is necessary, applying the patch promptly is critical to maintain accurate memory safety instrumentation. Monitoring kernel logs for related warnings can help identify systems running vulnerable kernel versions. Finally, maintaining a robust kernel update and patch management process will help ensure timely remediation of such vulnerabilities.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2024-53128: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: sched/task_stack: fix object_is_on_stack() for KASAN tagged pointers When CONFIG_KASAN_SW_TAGS and CONFIG_KASAN_STACK are enabled, the object_is_on_stack() function may produce incorrect results due to the presence of tags in the obj pointer, while the stack pointer does not have tags. This discrepancy can lead to incorrect stack object detection and subsequently trigger warnings if CONFIG_DEBUG_OBJECTS is also enabled. Example of the warning: ODEBUG: object 3eff800082ea7bb0 is NOT on stack ffff800082ea0000, but annotated. ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1 at lib/debugobjects.c:557 __debug_object_init+0x330/0x364 Modules linked in: CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-rc5 #4 Hardware name: linux,dummy-virt (DT) pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __debug_object_init+0x330/0x364 lr : __debug_object_init+0x330/0x364 sp : ffff800082ea7b40 x29: ffff800082ea7b40 x28: 98ff0000c0164518 x27: 98ff0000c0164534 x26: ffff800082d93ec8 x25: 0000000000000001 x24: 1cff0000c00172a0 x23: 0000000000000000 x22: ffff800082d93ed0 x21: ffff800081a24418 x20: 3eff800082ea7bb0 x19: efff800000000000 x18: 0000000000000000 x17: 00000000000000ff x16: 0000000000000047 x15: 206b63617473206e x14: 0000000000000018 x13: ffff800082ea7780 x12: 0ffff800082ea78e x11: 0ffff800082ea790 x10: 0ffff800082ea79d x9 : 34d77febe173e800 x8 : 34d77febe173e800 x7 : 0000000000000001 x6 : 0000000000000001 x5 : feff800082ea74b8 x4 : ffff800082870a90 x3 : ffff80008018d3c4 x2 : 0000000000000001 x1 : ffff800082858810 x0 : 0000000000000050 Call trace: __debug_object_init+0x330/0x364 debug_object_init_on_stack+0x30/0x3c schedule_hrtimeout_range_clock+0xac/0x26c schedule_hrtimeout+0x1c/0x30 wait_task_inactive+0x1d4/0x25c kthread_bind_mask+0x28/0x98 init_rescuer+0x1e8/0x280 workqueue_init+0x1a0/0x3cc kernel_init_freeable+0x118/0x200 kernel_init+0x28/0x1f0 ret_from_fork+0x10/0x20 ---[ end trace 0000000000000000 ]--- ODEBUG: object 3eff800082ea7bb0 is NOT on stack ffff800082ea0000, but annotated. ------------[ cut here ]------------
AI-Powered Analysis
Technical Analysis
CVE-2024-53128 is a vulnerability identified in the Linux kernel related to the handling of kernel address sanitizer (KASAN) tagged pointers within the function object_is_on_stack(). Specifically, when the kernel is configured with CONFIG_KASAN_SW_TAGS and CONFIG_KASAN_STACK enabled, the object_is_on_stack() function may incorrectly determine whether an object resides on the stack. This is due to a mismatch between tagged pointers (which include metadata tags for memory safety) and untagged stack pointers. The discrepancy causes the function to produce false negatives in stack object detection, which can trigger warnings if CONFIG_DEBUG_OBJECTS is also enabled. The warnings manifest as kernel debug messages indicating that an object is not on the stack despite being annotated, accompanied by kernel stack traces. This issue arises from the internal kernel debugging and memory safety instrumentation rather than a direct memory corruption or privilege escalation vulnerability. The problem affects Linux kernel versions containing the specified commit hashes, and it has been resolved by fixing the object_is_on_stack() logic to correctly handle tagged pointers. There are no known exploits in the wild, and no CVSS score has been assigned to this vulnerability as of the publication date.
Potential Impact
The impact of CVE-2024-53128 is primarily on kernel debugging and memory safety instrumentation rather than on direct security properties such as confidentiality, integrity, or availability. The incorrect detection of stack objects can lead to spurious kernel warnings and debug messages, which may complicate kernel debugging and development efforts. For production systems, this may result in noisy logs or potential false alarms but does not directly enable privilege escalation, code execution, or denial of service. However, in environments where kernel debugging and KASAN are actively used—such as development, testing, or security research—this flaw could hinder accurate memory safety analysis and debugging. For European organizations relying on Linux-based infrastructure, particularly those using advanced kernel debugging features or custom kernel builds with KASAN enabled, this could delay vulnerability detection or complicate incident response. The vulnerability does not appear to affect standard production deployments without these debugging configurations enabled, thus limiting its broader operational impact.
Mitigation Recommendations
To mitigate CVE-2024-53128, organizations should apply the official Linux kernel patch that corrects the object_is_on_stack() function to properly handle KASAN tagged pointers. This involves updating to a kernel version that includes the fix or backporting the patch to existing kernels if feasible. Since the vulnerability is tied to specific kernel configurations (CONFIG_KASAN_SW_TAGS and CONFIG_KASAN_STACK), disabling these options in production environments where kernel debugging is not required can also avoid the issue. Additionally, ensuring that CONFIG_DEBUG_OBJECTS is disabled in production kernels will prevent the triggering of the debug warnings related to this flaw. For development and testing environments where KASAN is necessary, applying the patch promptly is critical to maintain accurate memory safety instrumentation. Monitoring kernel logs for related warnings can help identify systems running vulnerable kernel versions. Finally, maintaining a robust kernel update and patch management process will help ensure timely remediation of such vulnerabilities.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-11-19T17:17:24.995Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9824c4522896dcbdfa9d
Added to database: 5/21/2025, 9:08:52 AM
Last enriched: 6/28/2025, 3:24:31 PM
Last updated: 7/31/2025, 11:07:44 AM
Views: 12
Related Threats
CVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighCVE-2025-8105: CWE-94 Improper Control of Generation of Code ('Code Injection') in pencidesign Soledad
HighCVE-2025-8719: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in reubenthiessen Translate This gTranslate Shortcode
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.