CVE-2024-57874: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: arm64: ptrace: fix partial SETREGSET for NT_ARM_TAGGED_ADDR_CTRL Currently tagged_addr_ctrl_set() doesn't initialize the temporary 'ctrl' variable, and a SETREGSET call with a length of zero will leave this uninitialized. Consequently tagged_addr_ctrl_set() will consume an arbitrary value, potentially leaking up to 64 bits of memory from the kernel stack. The read is limited to a specific slot on the stack, and the issue does not provide a write mechanism. As set_tagged_addr_ctrl() only accepts values where bits [63:4] zero and rejects other values, a partial SETREGSET attempt will randomly succeed or fail depending on the value of the uninitialized value, and the exposure is significantly limited. Fix this by initializing the temporary value before copying the regset from userspace, as for other regsets (e.g. NT_PRSTATUS, NT_PRFPREG, NT_ARM_SYSTEM_CALL). In the case of a zero-length write, the existing value of the tagged address ctrl will be retained. The NT_ARM_TAGGED_ADDR_CTRL regset is only visible in the user_aarch64_view used by a native AArch64 task to manipulate another native AArch64 task. As get_tagged_addr_ctrl() only returns an error value when called for a compat task, tagged_addr_ctrl_get() and tagged_addr_ctrl_set() should never observe an error value from get_tagged_addr_ctrl(). Add a WARN_ON_ONCE() to both to indicate that such an error would be unexpected, and error handlnig is not missing in either case.
AI Analysis
Technical Summary
CVE-2024-57874 is a vulnerability identified in the Linux kernel specifically affecting the arm64 architecture's ptrace subsystem. The flaw arises from improper initialization of a temporary variable 'ctrl' in the function tagged_addr_ctrl_set(), which handles the SETREGSET operation for the NT_ARM_TAGGED_ADDR_CTRL regset. When a SETREGSET call is made with a length of zero, the 'ctrl' variable remains uninitialized, causing the function to consume an arbitrary kernel stack value. This results in a potential information leak of up to 64 bits from the kernel stack memory. The vulnerability is limited in scope because the read is confined to a specific stack slot, and there is no write capability associated with this flaw, preventing direct kernel memory modification. Additionally, the set_tagged_addr_ctrl() function enforces constraints on the bits of the value it accepts, which further restricts exploitation. The regset in question is only accessible in the user_aarch64_view context, meaning only native AArch64 tasks manipulating other native AArch64 tasks can interact with it. The vulnerability does not affect compatibility (compat) tasks. The patch involves initializing the temporary 'ctrl' variable before copying the regset from userspace, ensuring that zero-length writes retain the existing tagged address control value. The fix also adds warnings to detect unexpected error conditions. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, the impact of CVE-2024-57874 is primarily an information disclosure risk within systems running Linux on arm64 architecture, which is increasingly common in servers, embedded devices, and cloud infrastructure. The leak of up to 64 bits of kernel stack memory could potentially expose sensitive kernel data or pointers that attackers might use to facilitate further exploitation or bypass security mechanisms such as kernel address space layout randomization (KASLR). However, the vulnerability does not allow arbitrary writes or privilege escalation directly, limiting its immediate severity. Organizations using arm64 Linux systems in critical infrastructure, cloud services, or embedded environments could face increased risk if attackers leverage this leak as part of a multi-stage attack. The requirement that the attacker must have ptrace capabilities on a native AArch64 task means that local privilege or debugging access is needed, reducing the risk from remote attackers but increasing concern for insider threats or compromised local accounts. Overall, the vulnerability could aid attackers in reconnaissance and kernel memory disclosure but is unlikely to cause direct denial of service or full system compromise on its own.
Mitigation Recommendations
European organizations should promptly apply the Linux kernel patches that initialize the 'ctrl' variable in tagged_addr_ctrl_set() to eliminate the uninitialized memory read. Since the vulnerability requires ptrace access to native AArch64 tasks, organizations should enforce strict access controls on ptrace capabilities, limiting them to trusted users and processes only. Employing kernel lockdown features and seccomp filters can reduce the attack surface by restricting ptrace usage. Monitoring for unusual ptrace activity or attempts to perform SETREGSET operations with zero-length writes may help detect exploitation attempts. For embedded or cloud environments using arm64 Linux, ensure that kernel versions are up to date and that security policies prevent unauthorized local access. Additionally, consider using kernel hardening features such as Kernel Address Sanitizer (KASAN) and Kernel Page Table Isolation (KPTI) to mitigate side-channel and memory disclosure risks. Regular security audits and vulnerability scanning should include checks for this CVE to ensure compliance.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark
CVE-2024-57874: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: arm64: ptrace: fix partial SETREGSET for NT_ARM_TAGGED_ADDR_CTRL Currently tagged_addr_ctrl_set() doesn't initialize the temporary 'ctrl' variable, and a SETREGSET call with a length of zero will leave this uninitialized. Consequently tagged_addr_ctrl_set() will consume an arbitrary value, potentially leaking up to 64 bits of memory from the kernel stack. The read is limited to a specific slot on the stack, and the issue does not provide a write mechanism. As set_tagged_addr_ctrl() only accepts values where bits [63:4] zero and rejects other values, a partial SETREGSET attempt will randomly succeed or fail depending on the value of the uninitialized value, and the exposure is significantly limited. Fix this by initializing the temporary value before copying the regset from userspace, as for other regsets (e.g. NT_PRSTATUS, NT_PRFPREG, NT_ARM_SYSTEM_CALL). In the case of a zero-length write, the existing value of the tagged address ctrl will be retained. The NT_ARM_TAGGED_ADDR_CTRL regset is only visible in the user_aarch64_view used by a native AArch64 task to manipulate another native AArch64 task. As get_tagged_addr_ctrl() only returns an error value when called for a compat task, tagged_addr_ctrl_get() and tagged_addr_ctrl_set() should never observe an error value from get_tagged_addr_ctrl(). Add a WARN_ON_ONCE() to both to indicate that such an error would be unexpected, and error handlnig is not missing in either case.
AI-Powered Analysis
Technical Analysis
CVE-2024-57874 is a vulnerability identified in the Linux kernel specifically affecting the arm64 architecture's ptrace subsystem. The flaw arises from improper initialization of a temporary variable 'ctrl' in the function tagged_addr_ctrl_set(), which handles the SETREGSET operation for the NT_ARM_TAGGED_ADDR_CTRL regset. When a SETREGSET call is made with a length of zero, the 'ctrl' variable remains uninitialized, causing the function to consume an arbitrary kernel stack value. This results in a potential information leak of up to 64 bits from the kernel stack memory. The vulnerability is limited in scope because the read is confined to a specific stack slot, and there is no write capability associated with this flaw, preventing direct kernel memory modification. Additionally, the set_tagged_addr_ctrl() function enforces constraints on the bits of the value it accepts, which further restricts exploitation. The regset in question is only accessible in the user_aarch64_view context, meaning only native AArch64 tasks manipulating other native AArch64 tasks can interact with it. The vulnerability does not affect compatibility (compat) tasks. The patch involves initializing the temporary 'ctrl' variable before copying the regset from userspace, ensuring that zero-length writes retain the existing tagged address control value. The fix also adds warnings to detect unexpected error conditions. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, the impact of CVE-2024-57874 is primarily an information disclosure risk within systems running Linux on arm64 architecture, which is increasingly common in servers, embedded devices, and cloud infrastructure. The leak of up to 64 bits of kernel stack memory could potentially expose sensitive kernel data or pointers that attackers might use to facilitate further exploitation or bypass security mechanisms such as kernel address space layout randomization (KASLR). However, the vulnerability does not allow arbitrary writes or privilege escalation directly, limiting its immediate severity. Organizations using arm64 Linux systems in critical infrastructure, cloud services, or embedded environments could face increased risk if attackers leverage this leak as part of a multi-stage attack. The requirement that the attacker must have ptrace capabilities on a native AArch64 task means that local privilege or debugging access is needed, reducing the risk from remote attackers but increasing concern for insider threats or compromised local accounts. Overall, the vulnerability could aid attackers in reconnaissance and kernel memory disclosure but is unlikely to cause direct denial of service or full system compromise on its own.
Mitigation Recommendations
European organizations should promptly apply the Linux kernel patches that initialize the 'ctrl' variable in tagged_addr_ctrl_set() to eliminate the uninitialized memory read. Since the vulnerability requires ptrace access to native AArch64 tasks, organizations should enforce strict access controls on ptrace capabilities, limiting them to trusted users and processes only. Employing kernel lockdown features and seccomp filters can reduce the attack surface by restricting ptrace usage. Monitoring for unusual ptrace activity or attempts to perform SETREGSET operations with zero-length writes may help detect exploitation attempts. For embedded or cloud environments using arm64 Linux, ensure that kernel versions are up to date and that security policies prevent unauthorized local access. Additionally, consider using kernel hardening features such as Kernel Address Sanitizer (KASAN) and Kernel Page Table Isolation (KPTI) to mitigate side-channel and memory disclosure risks. Regular security audits and vulnerability scanning should include checks for this CVE to ensure compliance.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-01-11T14:45:42.022Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9822c4522896dcbde91f
Added to database: 5/21/2025, 9:08:50 AM
Last enriched: 6/28/2025, 8:25:57 AM
Last updated: 7/27/2025, 3:34:43 PM
Views: 8
Related Threats
CVE-2025-8839: Improper Authorization in jshERP
MediumCVE-2025-8862: CWE-201 Insertion of Sensitive Information Into Sent Data in YugabyteDB Inc YugabyteDB
HighCVE-2025-8846: Stack-based Buffer Overflow in NASM Netwide Assember
MediumCVE-2025-8845: Stack-based Buffer Overflow in NASM Netwide Assember
MediumCVE-2025-8844: NULL Pointer Dereference in NASM Netwide Assember
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.