CVE-2024-35877 — Missing Release of Memory after Effective Lifetime in Linux
Severity
5.5MEDIUMNVD
OSV7.8OSV7.0OSV6.8
EPSS
0.0%
top 99.40%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMay 19
Latest updateDec 10
Description
In the Linux kernel, the following vulnerability has been resolved:
x86/mm/pat: fix VM_PAT handling in COW mappings
PAT handling won't do the right thing in COW mappings: the first PTE (or,
in fact, all PTEs) can be replaced during write faults to point at anon
folios. Reliably recovering the correct PFN and cachemode using
follow_phys() from PTEs will not work in COW mappings.
Using follow_phys(), we might just get the address+protection of the anon
folio (which is very wrong), or fail on sw…
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6
Affected Packages5 packages
▶CVEListV5linux/linux5899329b19100c0b82dc78e9b21ed8b920c9ffb3 — f18681daaec9665a15c5e7e0f591aad5d0ac622b+8
Also affects: Debian Linux 10.0
Patches
🔴Vulnerability Details
23OSV▶
linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle vulnerabilities↗2024-11-19