CVE-2024-53222: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: zram: fix NULL pointer in comp_algorithm_show() LTP reported a NULL pointer dereference as followed: CPU: 7 UID: 0 PID: 5995 Comm: cat Kdump: loaded Not tainted 6.12.0-rc6+ #3 Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 pstate: 40400005 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __pi_strcmp+0x24/0x140 lr : zcomp_available_show+0x60/0x100 [zram] sp : ffff800088b93b90 x29: ffff800088b93b90 x28: 0000000000000001 x27: 0000000000400cc0 x26: 0000000000000ffe x25: ffff80007b3e2388 x24: 0000000000000000 x23: ffff80007b3e2390 x22: ffff0004041a9000 x21: ffff80007b3e2900 x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: ffff80007b3e2900 x9 : ffff80007b3cb280 x8 : 0101010101010101 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000000040 x4 : 0000000000000000 x3 : 00656c722d6f7a6c x2 : 0000000000000000 x1 : ffff80007b3e2900 x0 : 0000000000000000 Call trace: __pi_strcmp+0x24/0x140 comp_algorithm_show+0x40/0x70 [zram] dev_attr_show+0x28/0x80 sysfs_kf_seq_show+0x90/0x140 kernfs_seq_show+0x34/0x48 seq_read_iter+0x1d4/0x4e8 kernfs_fop_read_iter+0x40/0x58 new_sync_read+0x9c/0x168 vfs_read+0x1a8/0x1f8 ksys_read+0x74/0x108 __arm64_sys_read+0x24/0x38 invoke_syscall+0x50/0x120 el0_svc_common.constprop.0+0xc8/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x38/0x138 el0t_64_sync_handler+0xc0/0xc8 el0t_64_sync+0x188/0x190 The zram->comp_algs[ZRAM_PRIMARY_COMP] can be NULL in zram_add() if comp_algorithm_set() has not been called. User can access the zram device by sysfs after device_add_disk(), so there is a time window to trigger the NULL pointer dereference. Move it ahead device_add_disk() to make sure when user can access the zram device, it is ready. comp_algorithm_set() is protected by zram->init_lock in other places and no such problem.
AI Analysis
Technical Summary
CVE-2024-53222 is a vulnerability identified in the Linux kernel's zram module, specifically related to a NULL pointer dereference in the comp_algorithm_show() function. The zram module provides compressed RAM-based block devices, which are often used to improve system performance by compressing pages in memory. The vulnerability arises because the zram->comp_algs[ZRAM_PRIMARY_COMP] pointer can be NULL during the initialization phase in zram_add() if comp_algorithm_set() has not yet been called. This creates a race condition where a user can access the zram device via sysfs after device_add_disk() has been called but before the compression algorithm is properly set, leading to a NULL pointer dereference when comp_algorithm_show() attempts to access this pointer. The kernel stack trace indicates that this occurs during a sysfs read operation, which is typically accessible to unprivileged users. The root cause is that comp_algorithm_set() is protected by zram->init_lock in other parts of the code, but the ordering of calls in zram_add() allowed a time window where the device was accessible but not fully initialized. The fix involves moving the comp_algorithm_set() call ahead of device_add_disk(), ensuring that when the device is exposed to userspace, it is fully initialized and the pointer is valid. This vulnerability can cause a kernel crash (denial of service) due to the NULL pointer dereference. There is no indication that this vulnerability allows privilege escalation or arbitrary code execution. No known exploits are reported in the wild as of the publication date. The vulnerability affects Linux kernel version 6.12.0-rc6+ and possibly other versions with similar zram code structure prior to the fix. The vulnerability was reported by the Linux Test Project (LTP) and is confirmed by kernel developers.
Potential Impact
For European organizations, the primary impact of CVE-2024-53222 is the potential for denial of service (DoS) on Linux systems utilizing the zram module. Systems that rely on zram for memory compression, such as embedded devices, virtual machines, or servers optimized for memory usage, could experience kernel panics or crashes if an attacker triggers this vulnerability. Although exploitation requires access to the sysfs interface of the zram device, which may be restricted, unprivileged local users or attackers who have gained limited access could cause system instability or downtime. This could disrupt critical services, especially in environments with high availability requirements such as financial institutions, healthcare providers, or industrial control systems. Since the vulnerability does not appear to allow privilege escalation or remote code execution, the confidentiality and integrity of data are less likely to be directly impacted. However, repeated crashes could be leveraged as part of a broader attack strategy to degrade system reliability or availability. Organizations running Linux kernels with zram enabled in cloud infrastructure, virtualized environments, or container hosts should be particularly vigilant, as these environments often expose sysfs interfaces and may have multiple users or tenants. The lack of known exploits reduces immediate risk, but the vulnerability should be addressed promptly to prevent potential abuse.
Mitigation Recommendations
1. Apply the official Linux kernel patch that reorders the initialization sequence in the zram module, ensuring comp_algorithm_set() is called before device_add_disk(). This is the definitive fix and should be prioritized in kernel updates. 2. If immediate patching is not possible, restrict access to the sysfs interface for zram devices by adjusting permissions or using Linux security modules (e.g., SELinux, AppArmor) to limit unprivileged user access to /sys/block/zram* paths. 3. Monitor kernel logs for signs of NULL pointer dereference crashes related to zram and investigate any unexpected kernel panics. 4. For virtualized or containerized environments, ensure that guest or container users do not have unnecessary access to sysfs interfaces that expose zram devices. 5. Implement robust system monitoring and alerting to detect abnormal system restarts or crashes that could indicate exploitation attempts. 6. Review and harden local user privileges to minimize the risk of unprivileged users triggering the vulnerability. 7. Engage with Linux distribution vendors to obtain timely kernel updates and security advisories relevant to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain, Belgium
CVE-2024-53222: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: zram: fix NULL pointer in comp_algorithm_show() LTP reported a NULL pointer dereference as followed: CPU: 7 UID: 0 PID: 5995 Comm: cat Kdump: loaded Not tainted 6.12.0-rc6+ #3 Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 pstate: 40400005 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __pi_strcmp+0x24/0x140 lr : zcomp_available_show+0x60/0x100 [zram] sp : ffff800088b93b90 x29: ffff800088b93b90 x28: 0000000000000001 x27: 0000000000400cc0 x26: 0000000000000ffe x25: ffff80007b3e2388 x24: 0000000000000000 x23: ffff80007b3e2390 x22: ffff0004041a9000 x21: ffff80007b3e2900 x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: ffff80007b3e2900 x9 : ffff80007b3cb280 x8 : 0101010101010101 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000000040 x4 : 0000000000000000 x3 : 00656c722d6f7a6c x2 : 0000000000000000 x1 : ffff80007b3e2900 x0 : 0000000000000000 Call trace: __pi_strcmp+0x24/0x140 comp_algorithm_show+0x40/0x70 [zram] dev_attr_show+0x28/0x80 sysfs_kf_seq_show+0x90/0x140 kernfs_seq_show+0x34/0x48 seq_read_iter+0x1d4/0x4e8 kernfs_fop_read_iter+0x40/0x58 new_sync_read+0x9c/0x168 vfs_read+0x1a8/0x1f8 ksys_read+0x74/0x108 __arm64_sys_read+0x24/0x38 invoke_syscall+0x50/0x120 el0_svc_common.constprop.0+0xc8/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x38/0x138 el0t_64_sync_handler+0xc0/0xc8 el0t_64_sync+0x188/0x190 The zram->comp_algs[ZRAM_PRIMARY_COMP] can be NULL in zram_add() if comp_algorithm_set() has not been called. User can access the zram device by sysfs after device_add_disk(), so there is a time window to trigger the NULL pointer dereference. Move it ahead device_add_disk() to make sure when user can access the zram device, it is ready. comp_algorithm_set() is protected by zram->init_lock in other places and no such problem.
AI-Powered Analysis
Technical Analysis
CVE-2024-53222 is a vulnerability identified in the Linux kernel's zram module, specifically related to a NULL pointer dereference in the comp_algorithm_show() function. The zram module provides compressed RAM-based block devices, which are often used to improve system performance by compressing pages in memory. The vulnerability arises because the zram->comp_algs[ZRAM_PRIMARY_COMP] pointer can be NULL during the initialization phase in zram_add() if comp_algorithm_set() has not yet been called. This creates a race condition where a user can access the zram device via sysfs after device_add_disk() has been called but before the compression algorithm is properly set, leading to a NULL pointer dereference when comp_algorithm_show() attempts to access this pointer. The kernel stack trace indicates that this occurs during a sysfs read operation, which is typically accessible to unprivileged users. The root cause is that comp_algorithm_set() is protected by zram->init_lock in other parts of the code, but the ordering of calls in zram_add() allowed a time window where the device was accessible but not fully initialized. The fix involves moving the comp_algorithm_set() call ahead of device_add_disk(), ensuring that when the device is exposed to userspace, it is fully initialized and the pointer is valid. This vulnerability can cause a kernel crash (denial of service) due to the NULL pointer dereference. There is no indication that this vulnerability allows privilege escalation or arbitrary code execution. No known exploits are reported in the wild as of the publication date. The vulnerability affects Linux kernel version 6.12.0-rc6+ and possibly other versions with similar zram code structure prior to the fix. The vulnerability was reported by the Linux Test Project (LTP) and is confirmed by kernel developers.
Potential Impact
For European organizations, the primary impact of CVE-2024-53222 is the potential for denial of service (DoS) on Linux systems utilizing the zram module. Systems that rely on zram for memory compression, such as embedded devices, virtual machines, or servers optimized for memory usage, could experience kernel panics or crashes if an attacker triggers this vulnerability. Although exploitation requires access to the sysfs interface of the zram device, which may be restricted, unprivileged local users or attackers who have gained limited access could cause system instability or downtime. This could disrupt critical services, especially in environments with high availability requirements such as financial institutions, healthcare providers, or industrial control systems. Since the vulnerability does not appear to allow privilege escalation or remote code execution, the confidentiality and integrity of data are less likely to be directly impacted. However, repeated crashes could be leveraged as part of a broader attack strategy to degrade system reliability or availability. Organizations running Linux kernels with zram enabled in cloud infrastructure, virtualized environments, or container hosts should be particularly vigilant, as these environments often expose sysfs interfaces and may have multiple users or tenants. The lack of known exploits reduces immediate risk, but the vulnerability should be addressed promptly to prevent potential abuse.
Mitigation Recommendations
1. Apply the official Linux kernel patch that reorders the initialization sequence in the zram module, ensuring comp_algorithm_set() is called before device_add_disk(). This is the definitive fix and should be prioritized in kernel updates. 2. If immediate patching is not possible, restrict access to the sysfs interface for zram devices by adjusting permissions or using Linux security modules (e.g., SELinux, AppArmor) to limit unprivileged user access to /sys/block/zram* paths. 3. Monitor kernel logs for signs of NULL pointer dereference crashes related to zram and investigate any unexpected kernel panics. 4. For virtualized or containerized environments, ensure that guest or container users do not have unnecessary access to sysfs interfaces that expose zram devices. 5. Implement robust system monitoring and alerting to detect abnormal system restarts or crashes that could indicate exploitation attempts. 6. Review and harden local user privileges to minimize the risk of unprivileged users triggering the vulnerability. 7. Engage with Linux distribution vendors to obtain timely kernel updates and security advisories relevant to this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-11-19T17:17:25.024Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9823c4522896dcbdefd4
Added to database: 5/21/2025, 9:08:51 AM
Last enriched: 6/28/2025, 10:55:54 AM
Last updated: 7/29/2025, 2:24:29 AM
Views: 8
Related Threats
CVE-2025-9023: Buffer Overflow in Tenda AC7
HighCVE-2025-8905: CWE-94 Improper Control of Generation of Code ('Code Injection') in inpersttion Inpersttion For Theme
MediumCVE-2025-8720: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in morehawes Plugin README Parser
MediumCVE-2025-8091: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in ashanjay EventON – Events Calendar
MediumCVE-2025-8080: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in alobaidi Alobaidi Captcha
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.