CVE-2024-53222
📋 TL;DR
A NULL pointer dereference vulnerability in the Linux kernel's zram compression algorithm display function allows local users to crash the system by reading from sysfs. This affects Linux systems with zram enabled, requiring local access to trigger the crash. The vulnerability occurs during a brief time window after device initialization.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, potentially causing data loss or service disruption.
Likely Case
Local denial of service through kernel panic when a user reads the compression algorithm sysfs attribute during the vulnerable time window.
If Mitigated
No impact if the system is patched or if zram is not enabled/used.
🎯 Exploit Status
Exploitation requires local access and specific timing during device initialization. Discovered through LTP testing.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in kernel commits: 843d366ff19708668d95cda16bb8aba109a93dba, c7ee791e538537b281f60945298796f0a3971bbd, f364cdeb38938f9d03061682b8ff3779dd1730e5
Vendor Advisory: https://git.kernel.org/stable/c/843d366ff19708668d95cda16bb8aba109a93dba
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix. 2. Check your distribution's security advisories for specific patched versions. 3. Reboot system after kernel update.
🔧 Temporary Workarounds
Disable zram
linuxIf zram is not required, disable it to eliminate the vulnerability.
sudo modprobe -r zram
echo 'blacklist zram' | sudo tee /etc/modprobe.d/blacklist-zram.conf
🧯 If You Can't Patch
- Disable zram if not essential for system operation
- Restrict local user access to systems with zram enabled
🔍 How to Verify
Check if Vulnerable:
Check if zram module is loaded: lsmod | grep zram. If loaded, check kernel version against patched versions.Check Version:
uname -rVerify Fix Applied:
After patching, verify kernel version contains fix commits or is newer than vulnerable versions.📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages in /var/log/kern.log or dmesg
- NULL pointer dereference errors mentioning zram or comp_algorithm_show
Network Indicators:
- None - local vulnerability only
SIEM Query:
Search for kernel panic events or NULL pointer dereference in system logs