CVE-2024-49873
📋 TL;DR
A NULL pointer dereference vulnerability in the Linux kernel's memory management subsystem causes kernel panic when using memfd_pin_folios with transparent huge pages (THP) at non-aligned offsets. This affects Linux systems using THP with memory-backed operations, potentially causing system crashes and denial of service.
💻 Affected Systems
- Linux Kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to complete system crash and denial of service, requiring physical or remote reboot.
Likely Case
System crash or instability when applications use memfd_pin_folios with THP at misaligned offsets, causing service disruption.
If Mitigated
No impact if THP is disabled or applications avoid misaligned memfd_pin_folios calls.
🎯 Exploit Status
Exploitation requires triggering the specific code path with misaligned offsets in THP contexts.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions containing commits c225c4f6056b46a8a5bf2ed35abf17a2d6887691 and 570dd14bfecf281fa467c80f8ec92b26370ee36a
Vendor Advisory: https://git.kernel.org/stable/c/570dd14bfecf281fa467c80f8ec92b26370ee36a
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution. 2. Reboot system to load new kernel. 3. Verify kernel version matches patched release.
🔧 Temporary Workarounds
Disable Transparent Huge Pages
linuxPrevents vulnerability by disabling THP feature that triggers the bug.
echo never > /sys/kernel/mm/transparent_hugepage/enabled
echo never > /sys/kernel/mm/transparent_hugepage/defrag
🧯 If You Can't Patch
- Disable Transparent Huge Pages system-wide
- Restrict applications from using memfd_pin_folios with THP
🔍 How to Verify
Check if Vulnerable:
Check if kernel version is before patches and THP is enabled: cat /sys/kernel/mm/transparent_hugepage/enabledCheck Version:
uname -rVerify Fix Applied:
Verify kernel version includes the fix commits and test memfd_pin_folios operations.📡 Detection & Monitoring
Log Indicators:
- Kernel panic logs with NULL pointer dereference at filemap_get_folios_contig
- System crash/reboot events
Network Indicators:
- None - local vulnerability only
SIEM Query:
search 'kernel panic' AND 'filemap_get_folios_contig' OR 'NULL pointer dereference' AND '0000000000000036'