{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-36881", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-05-30T15:25:07.064Z", "datePublished": "2024-05-30T15:28:52.119Z", "dateUpdated": "2025-05-04T12:56:23.125Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T12:56:23.125Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/userfaultfd: reset ptes when close() for wr-protected ones\n\nUserfaultfd unregister includes a step to remove wr-protect bits from all\nthe relevant pgtable entries, but that only covered an explicit\nUFFDIO_UNREGISTER ioctl, not a close() on the userfaultfd itself.  Cover\nthat too.  This fixes a WARN trace.\n\nThe only user visible side effect is the user can observe leftover\nwr-protect bits even if the user close()ed on an userfaultfd when\nreleasing the last reference of it.  However hopefully that should be\nharmless, and nothing bad should happen even if so.\n\nThis change is now more important after the recent page-table-check\npatch we merged in mm-unstable (446dd9ad37d0 (\"mm/page_table_check:\nsupport userfault wr-protect entries\")), as we'll do sanity check on\nuffd-wp bits without vma context.  So it's better if we can 100%\nguarantee no uffd-wp bit leftovers, to make sure each report will be\nvalid."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/userfaultfd.c"], "versions": [{"version": "f369b07c861435bd812a9d14493f71b34132ed6f", "lessThan": "377f3a9a3d032a52325a5b110379a25dd1ab1931", "status": "affected", "versionType": "git"}, {"version": "f369b07c861435bd812a9d14493f71b34132ed6f", "lessThan": "8d8b68a5b0c9fb23d37df06bb273ead38fd5a29d", "status": "affected", "versionType": "git"}, {"version": "f369b07c861435bd812a9d14493f71b34132ed6f", "lessThan": "c88033efe9a391e72ba6b5df4b01d6e628f4e734", "status": "affected", "versionType": "git"}, {"version": "3e2747c3ddfa717697c3cc2aa6ab989e48d6587d", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/userfaultfd.c"], "versions": [{"version": "6.0", "status": "affected"}, {"version": "0", "lessThan": "6.0", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.31", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.8.10", "lessThanOrEqual": "6.8.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.9", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.6.31"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.8.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.19.6"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/377f3a9a3d032a52325a5b110379a25dd1ab1931"}, {"url": "https://git.kernel.org/stable/c/8d8b68a5b0c9fb23d37df06bb273ead38fd5a29d"}, {"url": "https://git.kernel.org/stable/c/c88033efe9a391e72ba6b5df4b01d6e628f4e734"}], "title": "mm/userfaultfd: reset ptes when close() for wr-protected ones", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-noinfo Not enough information"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-05-31T18:32:07.483199Z", "id": "CVE-2024-36881", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-06T21:32:19.084Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:43:49.857Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/377f3a9a3d032a52325a5b110379a25dd1ab1931", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/8d8b68a5b0c9fb23d37df06bb273ead38fd5a29d", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/c88033efe9a391e72ba6b5df4b01d6e628f4e734", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/377f3a9a3d032a52325a5b110379a25dd1ab1931", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/8d8b68a5b0c9fb23d37df06bb273ead38fd5a29d", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/c88033efe9a391e72ba6b5df4b01d6e628f4e734", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:43:49.857Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-36881", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-31T18:32:07.483199Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-noinfo Not enough information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-31T18:32:12.400Z"}}], "cna": {"title": "mm/userfaultfd: reset ptes when close() for wr-protected ones", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "f369b07c861435bd812a9d14493f71b34132ed6f", "lessThan": "377f3a9a3d032a52325a5b110379a25dd1ab1931", "versionType": "git"}, {"status": "affected", "version": "f369b07c861435bd812a9d14493f71b34132ed6f", "lessThan": "8d8b68a5b0c9fb23d37df06bb273ead38fd5a29d", "versionType": "git"}, {"status": "affected", "version": "f369b07c861435bd812a9d14493f71b34132ed6f", "lessThan": "c88033efe9a391e72ba6b5df4b01d6e628f4e734", "versionType": "git"}], "programFiles": ["fs/userfaultfd.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6.0"}, {"status": "unaffected", "version": "0", "lessThan": "6.0", "versionType": "semver"}, {"status": "unaffected", "version": "6.6.31", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.8.10", "versionType": "semver", "lessThanOrEqual": "6.8.*"}, {"status": "unaffected", "version": "6.9", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["fs/userfaultfd.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/377f3a9a3d032a52325a5b110379a25dd1ab1931"}, {"url": "https://git.kernel.org/stable/c/8d8b68a5b0c9fb23d37df06bb273ead38fd5a29d"}, {"url": "https://git.kernel.org/stable/c/c88033efe9a391e72ba6b5df4b01d6e628f4e734"}], "x_generator": {"engine": "bippy-5f407fcff5a0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/userfaultfd: reset ptes when close() for wr-protected ones\n\nUserfaultfd unregister includes a step to remove wr-protect bits from all\nthe relevant pgtable entries, but that only covered an explicit\nUFFDIO_UNREGISTER ioctl, not a close() on the userfaultfd itself.  Cover\nthat too.  This fixes a WARN trace.\n\nThe only user visible side effect is the user can observe leftover\nwr-protect bits even if the user close()ed on an userfaultfd when\nreleasing the last reference of it.  However hopefully that should be\nharmless, and nothing bad should happen even if so.\n\nThis change is now more important after the recent page-table-check\npatch we merged in mm-unstable (446dd9ad37d0 (\"mm/page_table_check:\nsupport userfault wr-protect entries\")), as we'll do sanity check on\nuffd-wp bits without vma context.  So it's better if we can 100%\nguarantee no uffd-wp bit leftovers, to make sure each report will be\nvalid."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-12-19T09:01:16.836Z"}}}, "cveMetadata": {"cveId": "CVE-2024-36881", "state": "PUBLISHED", "dateUpdated": "2024-12-19T09:01:16.836Z", "dateReserved": "2024-05-30T15:25:07.064Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-05-30T15:28:52.119Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "513F4557-6F2C-4B5B-B6CA-A7A4B230C56C", "versionEndExcluding": "6.6.31", "versionStartIncluding": "5.19.6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "6A6B920C-8D8F-4130-86B4-AD334F4CF2E3", "versionEndExcluding": "6.8.10", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc1:*:*:*:*:*:*", "matchCriteriaId": "22BEDD49-2C6D-402D-9DBF-6646F6ECD10B", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc2:*:*:*:*:*:*", "matchCriteriaId": "DF73CB2A-DFFD-46FB-9BFE-AA394F27EA37", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc3:*:*:*:*:*:*", "matchCriteriaId": "52048DDA-FC5A-4363-95A0-A6357B4D7F8C", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc4:*:*:*:*:*:*", "matchCriteriaId": "A06B2CCF-3F43-4FA9-8773-C83C3F5764B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc5:*:*:*:*:*:*", "matchCriteriaId": "F850DCEC-E08B-4317-A33B-D2DCF39F601B", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc6:*:*:*:*:*:*", "matchCriteriaId": "91326417-E981-482E-A5A3-28BC1327521B", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc7:*:*:*:*:*:*", "matchCriteriaId": "DAECDCD8-F556-4606-8D7B-5C6D47A501F2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/userfaultfd: reset ptes when close() for wr-protected ones\n\nUserfaultfd unregister includes a step to remove wr-protect bits from all\nthe relevant pgtable entries, but that only covered an explicit\nUFFDIO_UNREGISTER ioctl, not a close() on the userfaultfd itself.  Cover\nthat too.  This fixes a WARN trace.\n\nThe only user visible side effect is the user can observe leftover\nwr-protect bits even if the user close()ed on an userfaultfd when\nreleasing the last reference of it.  However hopefully that should be\nharmless, and nothing bad should happen even if so.\n\nThis change is now more important after the recent page-table-check\npatch we merged in mm-unstable (446dd9ad37d0 (\"mm/page_table_check:\nsupport userfault wr-protect entries\")), as we'll do sanity check on\nuffd-wp bits without vma context.  So it's better if we can 100%\nguarantee no uffd-wp bit leftovers, to make sure each report will be\nvalid."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm/userfaultfd: restablece ptes al cerrar() para los protegidos por wr. Userfaultfd unregister incluye un paso para eliminar los bits de wr-protect de todas las entradas relevantes de pgtable, pero eso solo cubre una UFFDIO_UNREGISTER ioctl expl\u00edcito, no un close() en el propio userfaultfd. Cubre eso tambi\u00e9n. Esto corrige un rastro WARN. El \u00fanico efecto secundario visible para el usuario es que puede observar los bits wr-protect sobrantes incluso si el usuario cerr\u00f3 () en un userfaultfd al liberar la \u00faltima referencia del mismo. Sin embargo, es de esperar que eso sea inofensivo y, aun as\u00ed, no deber\u00eda pasar nada malo. Este cambio ahora es m\u00e1s importante despu\u00e9s del reciente parche de verificaci\u00f3n de tabla de p\u00e1ginas que fusionamos en mm-unstable (446dd9ad37d0 (\"mm/page_table_check: admite entradas de protecci\u00f3n wr de error de usuario\")), ya que haremos una verificaci\u00f3n de cordura en uffd-wp. bits sin contexto vma. Por lo tanto, es mejor si podemos garantizar al 100% que no queden restos de bits de uffd-wp, para asegurarnos de que cada informe sea v\u00e1lido."}], "id": "CVE-2024-36881", "lastModified": "2025-04-01T18:34:35.917", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-05-30T16:15:11.723", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/377f3a9a3d032a52325a5b110379a25dd1ab1931"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/8d8b68a5b0c9fb23d37df06bb273ead38fd5a29d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c88033efe9a391e72ba6b5df4b01d6e628f4e734"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/377f3a9a3d032a52325a5b110379a25dd1ab1931"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/8d8b68a5b0c9fb23d37df06bb273ead38fd5a29d"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c88033efe9a391e72ba6b5df4b01d6e628f4e734"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:9315", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-503.11.1.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-11-12T00:00:00Z"}, {"advisory": "RHSA-2024:9315", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-503.11.1.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-11-12T00:00:00Z"}], "bugzilla": {"description": "kernel: mm/userfaultfd: reset ptes when close() for wr-protected ones", "id": "2284277", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2284277"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H", "status": "verified"}, "cwe": "CWE-281", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nmm/userfaultfd: reset ptes when close() for wr-protected ones\nUserfaultfd unregister includes a step to remove wr-protect bits from all\nthe relevant pgtable entries, but that only covered an explicit\nUFFDIO_UNREGISTER ioctl, not a close() on the userfaultfd itself.  Cover\nthat too.  This fixes a WARN trace.\nThe only user visible side effect is the user can observe leftover\nwr-protect bits even if the user close()ed on an userfaultfd when\nreleasing the last reference of it.  However hopefully that should be\nharmless, and nothing bad should happen even if so.\nThis change is now more important after the recent page-table-check\npatch we merged in mm-unstable (446dd9ad37d0 (\"mm/page_table_check:\nsupport userfault wr-protect entries\")), as we'll do sanity check on\nuffd-wp bits without vma context.  So it's better if we can 100%\nguarantee no uffd-wp bit leftovers, to make sure each report will be\nvalid."], "name": "CVE-2024-36881", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-05-30T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-36881\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-36881\nhttps://lore.kernel.org/linux-cve-announce/2024053032-CVE-2024-36881-24d0@gregkh/T"], "threat_severity": "Moderate"}