CVE-2024-57849
📋 TL;DR
A use-after-free vulnerability in the Linux kernel's s390 CPU Measurement Facility (CPUMF) sampling component allows reading from already freed memory buffers during CPU hotplug removal. This can lead to kernel memory corruption, crashes, or potential privilege escalation. Affects Linux systems with s390 architecture running kernel versions with the vulnerable code.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic, system crash, or potential privilege escalation leading to full system compromise if an attacker can trigger the race condition and manipulate freed memory.
Likely Case
System instability, kernel crashes, or invalid sampling data leading to performance monitoring failures.
If Mitigated
Minor performance impact from sampling failures without system compromise.
🎯 Exploit Status
Requires local access, specific s390 hardware, and ability to trigger CPU hotplug during sampling operations. Race condition exploitation is challenging.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions containing commits: 06a92f810df8037ca36157282ddcbefdcaf049b8, 238e3af849dfdcb1faed544349f7025e533f9aab, 99192c735ed4bfdff0d215ec85c8a87a677cb898, a0bd7dacbd51c632b8e2c0500b479af564afadf3, a69752f1e5de817941a2ea0609254f6f25acd274
Vendor Advisory: https://git.kernel.org/stable/c/06a92f810df8037ca36157282ddcbefdcaf049b8
Restart Required: Yes
Instructions:
1. Update to a patched kernel version from your distribution vendor. 2. For custom kernels, apply the relevant git commits. 3. Reboot the system to load the new kernel.
🔧 Temporary Workarounds
Disable CPU hotplug during sampling
s390Avoid CPU hotplug operations while CPUMF sampling is active to prevent triggering the race condition.
echo 0 > /sys/devices/system/cpu/cpuX/online (to offline specific CPUs before sampling)
Monitor and restrict hotplug operations during sampling periods
🧯 If You Can't Patch
- Disable CPU Measurement Facility sampling if not required
- Implement strict access controls to prevent unauthorized users from triggering CPU hotplug or sampling operations
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if running on s390 architecture: uname -a | grep s390 && check if kernel version is before patchesCheck Version:
uname -rVerify Fix Applied:
Verify kernel version includes the fix commits: grep -r 'commit_hash' /usr/src/linux-headers-* or check distribution patch notes📡 Detection & Monitoring
Log Indicators:
- Kernel oops messages related to cpum_sf, perf events, or memory corruption
- System crashes during CPU hotplug operations
- dmesg errors about use-after-free or invalid memory accesses
Network Indicators:
- None - local vulnerability only
SIEM Query:
source="kernel" AND ("cpum_sf" OR "perf_event_exit_cpu" OR "use-after-free")🔗 References
- https://git.kernel.org/stable/c/06a92f810df8037ca36157282ddcbefdcaf049b8
- https://git.kernel.org/stable/c/238e3af849dfdcb1faed544349f7025e533f9aab
- https://git.kernel.org/stable/c/99192c735ed4bfdff0d215ec85c8a87a677cb898
- https://git.kernel.org/stable/c/a0bd7dacbd51c632b8e2c0500b479af564afadf3
- https://git.kernel.org/stable/c/a69752f1e5de817941a2ea0609254f6f25acd274
- https://git.kernel.org/stable/c/b5be6a0bb639d165c8418d8dddd8f322587be8be
- https://git.kernel.org/stable/c/be54e6e0f93a39a9c00478d70d12956a5f3d5b9b
- https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html
