CVE-2024-40947
📋 TL;DR
This CVE describes a use-after-free vulnerability in the Linux kernel's IMA (Integrity Measurement Architecture) subsystem. The vulnerability occurs when sleeping within an RCU read-side critical section, which can cause synchronize_rcu() to return early and break RCU protection, potentially leading to kernel panic or arbitrary code execution. This affects Linux systems with IMA enabled, particularly those using non-PREEMPT kernels.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash, or potential arbitrary code execution with kernel privileges resulting in complete system compromise.
Likely Case
Kernel panic causing system crash and denial of service, especially under specific IMA policy evaluation scenarios.
If Mitigated
No impact if IMA is disabled or systems are patched with the GFP_ATOMIC fix.
🎯 Exploit Status
Exploitation requires local access and ability to trigger IMA file measurement operations. The vulnerability was discovered through code analysis and crash reports.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in kernel commits: 28d0ecc52f6c927d0e9ba70a4f2c1ea15453ee88, 58275455893066149e9f4df2223ab2fdbdc59f9c, 9a95c5bfbf02a0a7f5983280fe284a0ff0836c34, 9c3906c3738562b1fedc6f1cfc81756a7cfefff0, a38e02265c681b51997a264aaf743095e2ee400a
Vendor Advisory: https://git.kernel.org/stable/c/28d0ecc52f6c927d0e9ba70a4f2c1ea15453ee88
Restart Required: Yes
Instructions:
1. Update to a patched kernel version from your distribution vendor. 2. Reboot the system to load the new kernel. 3. Verify the kernel version after reboot.
🔧 Temporary Workarounds
Disable IMA
linuxDisable the Integrity Measurement Architecture subsystem if not required.
Add 'ima=off' to kernel boot parameters in GRUB configuration
🧯 If You Can't Patch
- Disable IMA by adding 'ima=off' to kernel boot parameters
- Monitor system logs for kernel panic messages related to ima_match_policy
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if IMA is enabled: cat /proc/cmdline | grep -q ima && echo 'IMA enabled'Check Version:
uname -rVerify Fix Applied:
Check kernel version is patched: uname -r and verify with distribution's security advisory📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages mentioning ima_match_policy
- NULL pointer dereference at 0000000000000010 in kernel logs
- BUG: unable to handle kernel NULL pointer dereference
Network Indicators:
- None - this is a local kernel vulnerability
SIEM Query:
source="kernel" AND ("ima_match_policy" OR "NULL pointer dereference" OR "BUG: unable to handle kernel")🔗 References
- https://git.kernel.org/stable/c/28d0ecc52f6c927d0e9ba70a4f2c1ea15453ee88
- https://git.kernel.org/stable/c/58275455893066149e9f4df2223ab2fdbdc59f9c
- https://git.kernel.org/stable/c/9a95c5bfbf02a0a7f5983280fe284a0ff0836c34
- https://git.kernel.org/stable/c/9c3906c3738562b1fedc6f1cfc81756a7cfefff0
- https://git.kernel.org/stable/c/a38e02265c681b51997a264aaf743095e2ee400a
- https://git.kernel.org/stable/c/a6176a802c4bfb83bf7524591aa75f44a639a853
- https://git.kernel.org/stable/c/28d0ecc52f6c927d0e9ba70a4f2c1ea15453ee88
- https://git.kernel.org/stable/c/58275455893066149e9f4df2223ab2fdbdc59f9c
- https://git.kernel.org/stable/c/9a95c5bfbf02a0a7f5983280fe284a0ff0836c34
- https://git.kernel.org/stable/c/9c3906c3738562b1fedc6f1cfc81756a7cfefff0
- https://git.kernel.org/stable/c/a38e02265c681b51997a264aaf743095e2ee400a
- https://git.kernel.org/stable/c/a6176a802c4bfb83bf7524591aa75f44a639a853
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
