CVE & CISA-KEV Catalog

CVE-2024-50066

HIGH
7.0
CVSS v3
NVD

Description

In the Linux kernel, the following vulnerability has been resolved: mm/mremap: fix move_normal_pmd/retract_page_tables race In mremap(), move_page_tables() looks at the type of the PMD entry and the specified address range to figure out by which method the next chunk of page table entries should be moved. At that point, the mmap_lock is held in write mode, but no rmap locks are held yet. For PMD entries that point to page tables and are fully covered by the source address range, move_pgt_entry(NORMAL_PMD, ...) is called, which first takes rmap locks, then does move_normal_pmd(). move_normal_pmd() takes the necessary page table locks at source and destination, then moves an entire page table from the source to the destination. The problem is: The rmap locks, which protect against concurrent page table removal by retract_page_tables() in the THP code, are only taken after the PMD entry has been read and it has been decided how to move it. So we can race as follows (with two processes that have mappings of the same tmpfs file that is stored on a tmpfs mount with huge=advise); note that process A accesses page tables through the MM while process B does it through the file rmap: process A process B ========= ========= mremap mremap_to move_vma move_page_tables get_old_pmd alloc_new_pmd *** PREEMPT *** madvise(MADV_COLLAPSE) do_madvise madvise_walk_vmas madvise_vma_behavior madvise_collapse hpage_collapse_scan_file collapse_file retract_page_tables i_mmap_lock_read(mapping) pmdp_collapse_flush i_mmap_unlock_read(mapping) move_pgt_entry(NORMAL_PMD, ...) take_rmap_locks move_normal_pmd drop_rmap_locks When this happens, move_normal_pmd() can end up creating bogus PMD entries in the line `pmd_populate(mm, new_pmd, pmd_pgtable(pmd))`. The effect depends on arch-specific and machine-specific details; on x86, you can end up with physical page 0 mapped as a page table, which is likely exploitable for user->kernel privilege escalation. Fix the race by letting process B recheck that the PMD still points to a page table after the rmap locks have been taken. Otherwise, we bail and let the caller fall back to the PTE-level copying path, which will then bail immediately at the pmd_none() check. Bug reachability: Reaching this bug requires that you can create shmem/file THP mappings - anonymous THP uses different code that doesn't zap stuff under rmap locks. File THP is gated on an experimental config flag (CONFIG_READ_ONLY_THP_FOR_FS), so on normal distro kernels you need shmem THP to hit this bug. As far as I know, getting shmem THP normally requires that you can mount your own tmpfs with the right mount flags, which would require creating your own user+mount namespace; though I don't know if some distros maybe enable shmem THP by default or something like that. Bug impact: This issue can likely be used for user->kernel privilege escalation when it is reachable.

How to fix

Remediation Available
linuxDebian
Fixed in:6.11.5-1CVE-2024-50066
Fixed in:6.11.5-1CVE-2024-50066
linuxUbuntu
Fixed in:6.8.0-56.58USN-7383-1
linux-awsUbuntu
Fixed in:6.8.0-1025.27USN-7383-1
linux-aws-6.8Ubuntu
Fixed in:6.8.0-1027.29~22.04.1USN-7451-1
linux-azureUbuntu
Fixed in:6.8.0-1025.30USN-7384-1
linux-azure-6.8Ubuntu
Fixed in:6.8.0-1025.30~22.04.1USN-7384-2
linux-azure-nvidiaUbuntu
Fixed in:6.8.0-1014.15USN-7468-1
linux-gcpUbuntu
Fixed in:6.8.0-1026.28USN-7383-1
linux-gcp-6.8Ubuntu
Fixed in:6.8.0-1026.28~22.04.1USN-7383-1
linux-gkeUbuntu
Fixed in:6.8.0-1021.25USN-7383-1
linux-gkeopUbuntu
Fixed in:6.8.0-1008.10USN-7383-1
linux-hwe-6.8Ubuntu
Fixed in:6.8.0-57.59~22.04.1USN-7403-1
linux-ibmUbuntu
Fixed in:6.8.0-1022.22USN-7385-1
linux-image-6.11.0-1015-oemUbuntu
Fixed in:6.11.0-1015.15USN-7310-1
linux-image-6.8.0-1008-gkeopUbuntu
Fixed in:6.8.0-1008.10USN-7383-1
linux-image-6.8.0-1014-azure-nvidiaUbuntu
Fixed in:6.8.0-1014.15USN-7468-1
linux-image-6.8.0-1021-gkeUbuntu
Fixed in:6.8.0-1021.25USN-7383-1
linux-image-6.8.0-1022-ibmUbuntu
Fixed in:6.8.0-1022.22USN-7385-1
linux-image-6.8.0-1022-oracleUbuntu
Fixed in:6.8.0-1022.23~22.04.1USN-7383-1
Fixed in:6.8.0-1022.23USN-7383-1
linux-image-6.8.0-1022-oracle-64kUbuntu
Fixed in:6.8.0-1022.23~22.04.1USN-7383-1
Fixed in:6.8.0-1022.23USN-7383-1
linux-image-6.8.0-1024-nvidiaUbuntu
Fixed in:6.8.0-1024.27~22.04.1USN-7383-1
Fixed in:6.8.0-1024.27USN-7383-1
linux-image-6.8.0-1024-nvidia-64kUbuntu
Fixed in:6.8.0-1024.27~22.04.1USN-7383-1
Fixed in:6.8.0-1024.27USN-7383-1
linux-image-6.8.0-1024-nvidia-lowlatencyUbuntu
Fixed in:6.8.0-1024.27.1USN-7383-1
linux-image-6.8.0-1024-nvidia-lowlatency-64kUbuntu
Fixed in:6.8.0-1024.27.1USN-7383-1
linux-image-6.8.0-1024-oemUbuntu
Fixed in:6.8.0-1024.24USN-7386-1
linux-image-6.8.0-1025-awsUbuntu
Fixed in:6.8.0-1025.27USN-7383-1
linux-image-6.8.0-1025-azureUbuntu
Fixed in:6.8.0-1025.30~22.04.1USN-7384-2
Fixed in:6.8.0-1025.30USN-7384-1
linux-image-6.8.0-1025-azure-fdeUbuntu
Fixed in:6.8.0-1025.30~22.04.1USN-7384-2
Fixed in:6.8.0-1025.30USN-7384-1
linux-image-6.8.0-1026-gcpUbuntu
Fixed in:6.8.0-1026.28~22.04.1USN-7383-1
Fixed in:6.8.0-1026.28USN-7383-1
linux-image-6.8.0-1026-gcp-64kUbuntu
Fixed in:6.8.0-1026.28~22.04.1USN-7383-1
Fixed in:6.8.0-1026.28USN-7383-1
linux-image-6.8.0-1027-awsUbuntu
Fixed in:6.8.0-1027.29~22.04.1USN-7451-1
linux-image-6.8.0-1028-raspiUbuntu
Fixed in:6.8.0-1028.32USN-7524-1
linux-image-6.8.0-2023-raspi-realtimeUbuntu
Fixed in:6.8.0-2023.24USN-7523-1
linux-image-6.8.0-56-genericUbuntu
Fixed in:6.8.0-56.58+1USN-7383-1
linux-image-6.8.0-56-generic-64kUbuntu
Fixed in:6.8.0-56.58+1USN-7383-1
linux-image-6.8.0-56-lowlatencyUbuntu
Fixed in:6.8.0-56.58.1~22.04.1USN-7383-1
Fixed in:6.8.0-56.58.1USN-7383-1
linux-image-6.8.0-56-lowlatency-64kUbuntu
Fixed in:6.8.0-56.58.1~22.04.1USN-7383-1
Fixed in:6.8.0-56.58.1USN-7383-1
linux-image-6.8.0-57-genericUbuntu
Fixed in:6.8.0-57.59~22.04.1USN-7403-1
linux-image-6.8.0-57-generic-64kUbuntu
Fixed in:6.8.0-57.59~22.04.1USN-7403-1
linux-image-6.8.1-1018-realtimeUbuntu
Fixed in:6.8.1-1018.19USN-7383-2
linux-image-awsUbuntu
Fixed in:6.8.0-1027.29~22.04.1USN-7451-1
Fixed in:6.8.0-1025.27USN-7383-1
linux-image-aws-lts-24.04Ubuntu
Fixed in:6.8.0-1025.27USN-7383-1
linux-image-azureUbuntu
Fixed in:6.8.0-1025.30~22.04.1USN-7384-2
linux-image-azure-fdeUbuntu
Fixed in:6.8.0-1025.30~22.04.1USN-7384-2
linux-image-azure-fde-lts-24.04Ubuntu
Fixed in:6.8.0-1025.30USN-7384-1
linux-image-azure-lts-24.04Ubuntu
Fixed in:6.8.0-1025.30USN-7384-1
linux-image-azure-nvidiaUbuntu
Fixed in:6.8.0-1014.15USN-7468-1
linux-image-gcpUbuntu
Fixed in:6.8.0-1026.28~22.04.1USN-7383-1
Fixed in:6.8.0-1026.28USN-7383-1
linux-image-gcp-64kUbuntu
Fixed in:6.8.0-1026.28~22.04.1USN-7383-1
Fixed in:6.8.0-1026.28USN-7383-1
linux-image-gcp-64k-lts-24.04Ubuntu
Fixed in:6.8.0-1026.28USN-7383-1
linux-image-gcp-lts-24.04Ubuntu
Fixed in:6.8.0-1026.28USN-7383-1
linux-image-genericUbuntu
Fixed in:6.8.0-56.58USN-7383-1
linux-image-generic-64kUbuntu
Fixed in:6.8.0-56.58USN-7383-1
linux-image-generic-64k-hwe-22.04Ubuntu
Fixed in:6.8.0-57.59~22.04.1USN-7403-1
linux-image-generic-hwe-22.04Ubuntu
Fixed in:6.8.0-57.59~22.04.1USN-7403-1
linux-image-generic-lpaeUbuntu
Fixed in:6.8.0-56.58USN-7383-1
linux-image-gkeUbuntu
Fixed in:6.8.0-1021.25USN-7383-1
linux-image-gkeopUbuntu
Fixed in:6.8.0-1008.10USN-7383-1
linux-image-gkeop-6.8Ubuntu
Fixed in:6.8.0-1008.10USN-7383-1
linux-image-ibmUbuntu
Fixed in:6.8.0-1022.22USN-7385-1
linux-image-ibm-classicUbuntu
Fixed in:6.8.0-1022.22USN-7385-1
linux-image-ibm-lts-24.04Ubuntu
Fixed in:6.8.0-1022.22USN-7385-1
linux-image-kvmUbuntu
Fixed in:6.8.0-56.58USN-7383-1
linux-image-lowlatencyUbuntu
Fixed in:6.8.0-56.58.1USN-7383-1
linux-image-lowlatency-64kUbuntu
Fixed in:6.8.0-56.58.1USN-7383-1
linux-image-lowlatency-64k-hwe-22.04Ubuntu
Fixed in:6.8.0-56.58.1~22.04.1USN-7383-1
linux-image-lowlatency-hwe-22.04Ubuntu
Fixed in:6.8.0-56.58.1~22.04.1USN-7383-1
linux-image-nvidiaUbuntu
Fixed in:6.8.0-1024.27USN-7383-1
linux-image-nvidia-6.8Ubuntu
Fixed in:6.8.0-1024.27~22.04.1USN-7383-1
linux-image-nvidia-64kUbuntu
Fixed in:6.8.0-1024.27USN-7383-1
linux-image-nvidia-64k-6.8Ubuntu
Fixed in:6.8.0-1024.27~22.04.1USN-7383-1
linux-image-nvidia-64k-hwe-22.04Ubuntu
Fixed in:6.8.0-1024.27~22.04.1USN-7383-1
linux-image-nvidia-hwe-22.04Ubuntu
Fixed in:6.8.0-1024.27~22.04.1USN-7383-1
linux-image-nvidia-lowlatencyUbuntu
Fixed in:6.8.0-1024.27.1USN-7383-1
linux-image-nvidia-lowlatency-64kUbuntu
Fixed in:6.8.0-1024.27.1USN-7383-1
linux-image-oem-22.04Ubuntu
Fixed in:6.8.0-57.59~22.04.1USN-7403-1
Fixed in:6.8.0-56.58USN-7383-1
linux-image-oem-22.04aUbuntu
Fixed in:6.8.0-57.59~22.04.1USN-7403-1
linux-image-oem-22.04bUbuntu
Fixed in:6.8.0-57.59~22.04.1USN-7403-1
linux-image-oem-22.04cUbuntu
Fixed in:6.8.0-57.59~22.04.1USN-7403-1
linux-image-oem-22.04dUbuntu
Fixed in:6.8.0-57.59~22.04.1USN-7403-1
linux-image-oem-24.04Ubuntu
Fixed in:6.8.0-1024.24USN-7386-1
linux-image-oem-24.04aUbuntu
Fixed in:6.8.0-1024.24USN-7386-1
linux-image-oem-24.04bUbuntu
Fixed in:6.11.0-1015.15USN-7310-1
linux-image-oracleUbuntu
Fixed in:6.8.0-1022.23~22.04.1USN-7383-1
Fixed in:6.8.0-1022.23USN-7383-1
linux-image-oracle-64kUbuntu
Fixed in:6.8.0-1022.23~22.04.1USN-7383-1
Fixed in:6.8.0-1022.23USN-7383-1
linux-image-oracle-64k-lts-24.04Ubuntu
Fixed in:6.8.0-1022.23USN-7383-1
linux-image-oracle-lts-24.04Ubuntu
Fixed in:6.8.0-1022.23USN-7383-1
linux-image-raspiUbuntu
Fixed in:6.8.0-1028.32USN-7524-1
linux-image-raspi-realtimeUbuntu
Fixed in:6.8.0-2023.24USN-7523-1
linux-image-realtimeUbuntu
Fixed in:6.8.1-1018.19USN-7383-2
linux-image-realtime-hwe-24.04Ubuntu
Fixed in:6.8.1-1018.19USN-7383-2
linux-image-virtualUbuntu
Fixed in:6.8.0-56.58USN-7383-1
linux-image-virtual-hwe-22.04Ubuntu
Fixed in:6.8.0-57.59~22.04.1USN-7403-1
linux-lowlatencyUbuntu
Fixed in:6.8.0-56.58.1USN-7383-1
linux-lowlatency-hwe-6.8Ubuntu
Fixed in:6.8.0-56.58.1~22.04.1USN-7383-1
linux-nvidiaUbuntu
Fixed in:6.8.0-1024.27USN-7383-1
linux-nvidia-6.8Ubuntu
Fixed in:6.8.0-1024.27~22.04.1USN-7383-1
linux-nvidia-lowlatencyUbuntu
Fixed in:6.8.0-1024.27.1USN-7383-1
linux-oem-6.11Ubuntu
Fixed in:6.11.0-1015.15USN-7310-1
linux-oem-6.8Ubuntu
Fixed in:6.8.0-1024.24USN-7386-1
linux-oracleUbuntu
Fixed in:6.8.0-1022.23USN-7383-1
linux-oracle-6.8Ubuntu
Fixed in:6.8.0-1022.23~22.04.1USN-7383-1
linux-raspiUbuntu
Fixed in:6.8.0-1028.32USN-7524-1
linux-raspi-realtimeUbuntu
Fixed in:6.8.0-2023.24USN-7523-1
linux-realtimeUbuntu
Fixed in:6.8.1-1018.19USN-7383-2

Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.

CVSS v3 Vector

Exploitability

Attack VectorLocal
Attack ComplexityHigh
Privileges RequiredLow
User InteractionNone
ScopeUnchanged

Impact

ConfidentialityHigh
IntegrityHigh
AvailabilityHigh

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploit Intelligence

0.20%probability of exploitation in 30 days
10thpercentile

Low risk: more likely to be exploited than 10% of all known CVEs.

References

Related Vulnerabilities

Other CWE-362 (Race Condition) vulnerabilities, ordered by exploit likelihood. View all

CVESeverityCVSSEPSSExploitedFix
CVE-2024-6387High8.1100%-Fix
CVE-2023-36884High7.599%KEV + RansomFix
CVE-2018-15473Medium5.399%-Fix
CVE-2024-27983High8.287%-Fix
CVE-2014-0226Medium6.886%-Fix
CVE-2016-5195High7.084%KEVFix
Embed a live status badge for CVE-2024-50066
CVE-2024-50066 severity badge

Markdown

[![CVE-2024-50066](https://tridentstack.com/cve/badge/CVE-2024-50066.svg)](https://tridentstack.com/cve/CVE-2024-50066)

HTML

<a href="https://tridentstack.com/cve/CVE-2024-50066"><img src="https://tridentstack.com/cve/badge/CVE-2024-50066.svg" alt="CVE-2024-50066"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2025-03-07.