CVE-2024-56765: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries/vas: Add close() callback in vas_vm_ops struct The mapping VMA address is saved in VAS window struct when the paste address is mapped. This VMA address is used during migration to unmap the paste address if the window is active. The paste address mapping will be removed when the window is closed or with the munmap(). But the VMA address in the VAS window is not updated with munmap() which is causing invalid access during migration. The KASAN report shows: [16386.254991] BUG: KASAN: slab-use-after-free in reconfig_close_windows+0x1a0/0x4e8 [16386.255043] Read of size 8 at addr c00000014a819670 by task drmgr/696928 [16386.255096] CPU: 29 UID: 0 PID: 696928 Comm: drmgr Kdump: loaded Tainted: G B 6.11.0-rc5-nxgzip #2 [16386.255128] Tainted: [B]=BAD_PAGE [16386.255148] Hardware name: IBM,9080-HEX Power11 (architected) 0x820200 0xf000007 of:IBM,FW1110.00 (NH1110_016) hv:phyp pSeries [16386.255181] Call Trace: [16386.255202] [c00000016b297660] [c0000000018ad0ac] dump_stack_lvl+0x84/0xe8 (unreliable) [16386.255246] [c00000016b297690] [c0000000006e8a90] print_report+0x19c/0x764 [16386.255285] [c00000016b297760] [c0000000006e9490] kasan_report+0x128/0x1f8 [16386.255309] [c00000016b297880] [c0000000006eb5c8] __asan_load8+0xac/0xe0 [16386.255326] [c00000016b2978a0] [c00000000013f898] reconfig_close_windows+0x1a0/0x4e8 [16386.255343] [c00000016b297990] [c000000000140e58] vas_migration_handler+0x3a4/0x3fc [16386.255368] [c00000016b297a90] [c000000000128848] pseries_migrate_partition+0x4c/0x4c4 ... [16386.256136] Allocated by task 696554 on cpu 31 at 16377.277618s: [16386.256149] kasan_save_stack+0x34/0x68 [16386.256163] kasan_save_track+0x34/0x80 [16386.256175] kasan_save_alloc_info+0x58/0x74 [16386.256196] __kasan_slab_alloc+0xb8/0xdc [16386.256209] kmem_cache_alloc_noprof+0x200/0x3d0 [16386.256225] vm_area_alloc+0x44/0x150 [16386.256245] mmap_region+0x214/0x10c4 [16386.256265] do_mmap+0x5fc/0x750 [16386.256277] vm_mmap_pgoff+0x14c/0x24c [16386.256292] ksys_mmap_pgoff+0x20c/0x348 [16386.256303] sys_mmap+0xd0/0x160 ... [16386.256350] Freed by task 0 on cpu 31 at 16386.204848s: [16386.256363] kasan_save_stack+0x34/0x68 [16386.256374] kasan_save_track+0x34/0x80 [16386.256384] kasan_save_free_info+0x64/0x10c [16386.256396] __kasan_slab_free+0x120/0x204 [16386.256415] kmem_cache_free+0x128/0x450 [16386.256428] vm_area_free_rcu_cb+0xa8/0xd8 [16386.256441] rcu_do_batch+0x2c8/0xcf0 [16386.256458] rcu_core+0x378/0x3c4 [16386.256473] handle_softirqs+0x20c/0x60c [16386.256495] do_softirq_own_stack+0x6c/0x88 [16386.256509] do_softirq_own_stack+0x58/0x88 [16386.256521] __irq_exit_rcu+0x1a4/0x20c [16386.256533] irq_exit+0x20/0x38 [16386.256544] interrupt_async_exit_prepare.constprop.0+0x18/0x2c ... [16386.256717] Last potentially related work creation: [16386.256729] kasan_save_stack+0x34/0x68 [16386.256741] __kasan_record_aux_stack+0xcc/0x12c [16386.256753] __call_rcu_common.constprop.0+0x94/0xd04 [16386.256766] vm_area_free+0x28/0x3c [16386.256778] remove_vma+0xf4/0x114 [16386.256797] do_vmi_align_munmap.constprop.0+0x684/0x870 [16386.256811] __vm_munmap+0xe0/0x1f8 [16386.256821] sys_munmap+0x54/0x6c [16386.256830] system_call_exception+0x1a0/0x4a0 [16386.256841] system_call_vectored_common+0x15c/0x2ec [16386.256868] The buggy address belongs to the object at c00000014a819670 which belongs to the cache vm_area_struct of size 168 [16386.256887] The buggy address is located 0 bytes inside of freed 168-byte region [c00000014a819670, c00000014a819718) [16386.256915] The buggy address belongs to the physical page: [16386.256928] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14a81 [16386.256950] memcg:c0000000ba430001 [16386.256961] anon flags: 0x43ffff800000000(node=4|zone=0|lastcpupid=0x7ffff) [16386.256975] page_type: 0xfdffffff(slab) [16386 ---truncated---
AI Analysis
Technical Summary
CVE-2024-56765 is a high-severity vulnerability in the Linux kernel specifically affecting the PowerPC pseries architecture's virtual address space (VAS) management subsystem. The flaw arises from improper handling of virtual memory area (VMA) addresses within the VAS window structure during memory migration operations. When a paste address is mapped, the corresponding VMA address is saved in the VAS window struct. However, upon unmapping (via munmap()) or closing the window, the VMA address in the VAS window is not updated accordingly. This leads to a use-after-free condition where the kernel attempts to access freed memory during migration, causing invalid memory access. The vulnerability was detected through Kernel Address Sanitizer (KASAN) reports indicating slab-use-after-free errors in the reconfig_close_windows function. The issue is rooted in the kernel's failure to update internal pointers after memory unmapping, violating proper memory lifecycle management and resulting in potential kernel crashes or arbitrary code execution. The vulnerability is tracked as CWE-416 (Use After Free) and affects Linux kernel versions including the 6.11.0-rc5-nxgzip release candidate on PowerPC pseries hardware. Exploitation requires local privileges (PR:L) but no user interaction (UI:N), with low attack complexity (AC:L). The CVSS v3.1 score is 7.8, reflecting high impact on confidentiality, integrity, and availability due to possible kernel memory corruption. No known exploits are currently reported in the wild, but the flaw poses a significant risk to systems running affected kernel versions on IBM Power11 pSeries platforms or similar hardware. The vulnerability is particularly relevant to environments using Linux on PowerPC architectures with virtualization and memory migration features enabled, such as enterprise servers and cloud infrastructure.
Potential Impact
For European organizations, the impact of CVE-2024-56765 can be substantial, especially those operating data centers or cloud services on IBM PowerPC-based Linux servers. Successful exploitation could lead to kernel crashes, denial of service, or privilege escalation allowing attackers to execute arbitrary code at the kernel level. This compromises system confidentiality, integrity, and availability, potentially exposing sensitive data or disrupting critical services. Organizations relying on PowerPC Linux servers for virtualization or partition migration are at higher risk. Given the high privilege level required for exploitation, insider threats or attackers with initial local access could leverage this vulnerability to escalate privileges and move laterally within networks. The vulnerability could affect sectors with critical infrastructure, financial services, telecommunications, and government agencies in Europe that deploy PowerPC Linux systems. Additionally, disruption caused by kernel instability could impact service continuity and compliance with data protection regulations such as GDPR if personal data is involved.
Mitigation Recommendations
To mitigate CVE-2024-56765, European organizations should: 1) Immediately apply official Linux kernel patches addressing this vulnerability once released by the Linux kernel maintainers or their Linux distribution vendors. 2) If patches are not yet available, consider temporarily disabling or restricting features related to VAS window migration on PowerPC pseries systems to reduce attack surface. 3) Limit local access to affected systems by enforcing strict access controls, multi-factor authentication, and monitoring for suspicious activities indicative of privilege escalation attempts. 4) Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR) and Kernel Page Table Isolation (KPTI) to reduce exploitability. 5) Conduct thorough testing of kernel updates in controlled environments before deployment to avoid service disruptions. 6) Maintain up-to-date backups and incident response plans to quickly recover from potential exploitation. 7) Monitor security advisories from Linux kernel and IBM regarding this vulnerability and related mitigations. These steps go beyond generic advice by focusing on architecture-specific controls and operational security measures tailored to PowerPC Linux environments.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Sweden, Finland
CVE-2024-56765: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries/vas: Add close() callback in vas_vm_ops struct The mapping VMA address is saved in VAS window struct when the paste address is mapped. This VMA address is used during migration to unmap the paste address if the window is active. The paste address mapping will be removed when the window is closed or with the munmap(). But the VMA address in the VAS window is not updated with munmap() which is causing invalid access during migration. The KASAN report shows: [16386.254991] BUG: KASAN: slab-use-after-free in reconfig_close_windows+0x1a0/0x4e8 [16386.255043] Read of size 8 at addr c00000014a819670 by task drmgr/696928 [16386.255096] CPU: 29 UID: 0 PID: 696928 Comm: drmgr Kdump: loaded Tainted: G B 6.11.0-rc5-nxgzip #2 [16386.255128] Tainted: [B]=BAD_PAGE [16386.255148] Hardware name: IBM,9080-HEX Power11 (architected) 0x820200 0xf000007 of:IBM,FW1110.00 (NH1110_016) hv:phyp pSeries [16386.255181] Call Trace: [16386.255202] [c00000016b297660] [c0000000018ad0ac] dump_stack_lvl+0x84/0xe8 (unreliable) [16386.255246] [c00000016b297690] [c0000000006e8a90] print_report+0x19c/0x764 [16386.255285] [c00000016b297760] [c0000000006e9490] kasan_report+0x128/0x1f8 [16386.255309] [c00000016b297880] [c0000000006eb5c8] __asan_load8+0xac/0xe0 [16386.255326] [c00000016b2978a0] [c00000000013f898] reconfig_close_windows+0x1a0/0x4e8 [16386.255343] [c00000016b297990] [c000000000140e58] vas_migration_handler+0x3a4/0x3fc [16386.255368] [c00000016b297a90] [c000000000128848] pseries_migrate_partition+0x4c/0x4c4 ... [16386.256136] Allocated by task 696554 on cpu 31 at 16377.277618s: [16386.256149] kasan_save_stack+0x34/0x68 [16386.256163] kasan_save_track+0x34/0x80 [16386.256175] kasan_save_alloc_info+0x58/0x74 [16386.256196] __kasan_slab_alloc+0xb8/0xdc [16386.256209] kmem_cache_alloc_noprof+0x200/0x3d0 [16386.256225] vm_area_alloc+0x44/0x150 [16386.256245] mmap_region+0x214/0x10c4 [16386.256265] do_mmap+0x5fc/0x750 [16386.256277] vm_mmap_pgoff+0x14c/0x24c [16386.256292] ksys_mmap_pgoff+0x20c/0x348 [16386.256303] sys_mmap+0xd0/0x160 ... [16386.256350] Freed by task 0 on cpu 31 at 16386.204848s: [16386.256363] kasan_save_stack+0x34/0x68 [16386.256374] kasan_save_track+0x34/0x80 [16386.256384] kasan_save_free_info+0x64/0x10c [16386.256396] __kasan_slab_free+0x120/0x204 [16386.256415] kmem_cache_free+0x128/0x450 [16386.256428] vm_area_free_rcu_cb+0xa8/0xd8 [16386.256441] rcu_do_batch+0x2c8/0xcf0 [16386.256458] rcu_core+0x378/0x3c4 [16386.256473] handle_softirqs+0x20c/0x60c [16386.256495] do_softirq_own_stack+0x6c/0x88 [16386.256509] do_softirq_own_stack+0x58/0x88 [16386.256521] __irq_exit_rcu+0x1a4/0x20c [16386.256533] irq_exit+0x20/0x38 [16386.256544] interrupt_async_exit_prepare.constprop.0+0x18/0x2c ... [16386.256717] Last potentially related work creation: [16386.256729] kasan_save_stack+0x34/0x68 [16386.256741] __kasan_record_aux_stack+0xcc/0x12c [16386.256753] __call_rcu_common.constprop.0+0x94/0xd04 [16386.256766] vm_area_free+0x28/0x3c [16386.256778] remove_vma+0xf4/0x114 [16386.256797] do_vmi_align_munmap.constprop.0+0x684/0x870 [16386.256811] __vm_munmap+0xe0/0x1f8 [16386.256821] sys_munmap+0x54/0x6c [16386.256830] system_call_exception+0x1a0/0x4a0 [16386.256841] system_call_vectored_common+0x15c/0x2ec [16386.256868] The buggy address belongs to the object at c00000014a819670 which belongs to the cache vm_area_struct of size 168 [16386.256887] The buggy address is located 0 bytes inside of freed 168-byte region [c00000014a819670, c00000014a819718) [16386.256915] The buggy address belongs to the physical page: [16386.256928] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14a81 [16386.256950] memcg:c0000000ba430001 [16386.256961] anon flags: 0x43ffff800000000(node=4|zone=0|lastcpupid=0x7ffff) [16386.256975] page_type: 0xfdffffff(slab) [16386 ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-56765 is a high-severity vulnerability in the Linux kernel specifically affecting the PowerPC pseries architecture's virtual address space (VAS) management subsystem. The flaw arises from improper handling of virtual memory area (VMA) addresses within the VAS window structure during memory migration operations. When a paste address is mapped, the corresponding VMA address is saved in the VAS window struct. However, upon unmapping (via munmap()) or closing the window, the VMA address in the VAS window is not updated accordingly. This leads to a use-after-free condition where the kernel attempts to access freed memory during migration, causing invalid memory access. The vulnerability was detected through Kernel Address Sanitizer (KASAN) reports indicating slab-use-after-free errors in the reconfig_close_windows function. The issue is rooted in the kernel's failure to update internal pointers after memory unmapping, violating proper memory lifecycle management and resulting in potential kernel crashes or arbitrary code execution. The vulnerability is tracked as CWE-416 (Use After Free) and affects Linux kernel versions including the 6.11.0-rc5-nxgzip release candidate on PowerPC pseries hardware. Exploitation requires local privileges (PR:L) but no user interaction (UI:N), with low attack complexity (AC:L). The CVSS v3.1 score is 7.8, reflecting high impact on confidentiality, integrity, and availability due to possible kernel memory corruption. No known exploits are currently reported in the wild, but the flaw poses a significant risk to systems running affected kernel versions on IBM Power11 pSeries platforms or similar hardware. The vulnerability is particularly relevant to environments using Linux on PowerPC architectures with virtualization and memory migration features enabled, such as enterprise servers and cloud infrastructure.
Potential Impact
For European organizations, the impact of CVE-2024-56765 can be substantial, especially those operating data centers or cloud services on IBM PowerPC-based Linux servers. Successful exploitation could lead to kernel crashes, denial of service, or privilege escalation allowing attackers to execute arbitrary code at the kernel level. This compromises system confidentiality, integrity, and availability, potentially exposing sensitive data or disrupting critical services. Organizations relying on PowerPC Linux servers for virtualization or partition migration are at higher risk. Given the high privilege level required for exploitation, insider threats or attackers with initial local access could leverage this vulnerability to escalate privileges and move laterally within networks. The vulnerability could affect sectors with critical infrastructure, financial services, telecommunications, and government agencies in Europe that deploy PowerPC Linux systems. Additionally, disruption caused by kernel instability could impact service continuity and compliance with data protection regulations such as GDPR if personal data is involved.
Mitigation Recommendations
To mitigate CVE-2024-56765, European organizations should: 1) Immediately apply official Linux kernel patches addressing this vulnerability once released by the Linux kernel maintainers or their Linux distribution vendors. 2) If patches are not yet available, consider temporarily disabling or restricting features related to VAS window migration on PowerPC pseries systems to reduce attack surface. 3) Limit local access to affected systems by enforcing strict access controls, multi-factor authentication, and monitoring for suspicious activities indicative of privilege escalation attempts. 4) Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR) and Kernel Page Table Isolation (KPTI) to reduce exploitability. 5) Conduct thorough testing of kernel updates in controlled environments before deployment to avoid service disruptions. 6) Maintain up-to-date backups and incident response plans to quickly recover from potential exploitation. 7) Monitor security advisories from Linux kernel and IBM regarding this vulnerability and related mitigations. These steps go beyond generic advice by focusing on architecture-specific controls and operational security measures tailored to PowerPC Linux environments.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T11:26:39.762Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9822c4522896dcbde773
Added to database: 5/21/2025, 9:08:50 AM
Last enriched: 7/2/2025, 10:26:23 PM
Last updated: 8/1/2025, 7:58:35 AM
Views: 11
Related Threats
CVE-2025-41242: Vulnerability in VMware Spring Framework
MediumCVE-2025-47206: CWE-787 in QNAP Systems Inc. File Station 5
HighCVE-2025-5296: CWE-59 Improper Link Resolution Before File Access ('Link Following') in Schneider Electric SESU
HighCVE-2025-6625: CWE-20 Improper Input Validation in Schneider Electric Modicon M340
HighCVE-2025-57703: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.