CVE-2024-52319

CVE-2024-52319 is a vulnerability in the Linux kernel's memory management subsystem, specifically affecting the handling of huge pages in hugetlb_no_page(). The issue arises when hugetlb_no_page() passes a fault address that may not be aligned to the huge page size to folio_zero_user(), which in turn can invoke clear_gigantic_page(). This function expects a huge page size-aligned address, and passing an unaligned one can lead to memory corruption or information leakage. The vulnerability is classified under CWE-787 (Out-of-bounds Write) with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges (PR:L) can exploit this vulnerability without user interaction. By triggering a page fault in a context involving gigantic huge pages, the attacker can cause clear_gigantic_page() to operate on an unaligned address, potentially resulting in arbitrary memory corruption or leakage of sensitive kernel memory contents. The high impact scores across confidentiality, integrity, and availability indicate severe consequences, such as kernel crashes, privilege escalation, or exposure of other processes' data.

The provided references point to kernel patch commits that resolve the issue by ensuring an aligned address is used in clear_gigantic_page() and renaming the parameter from 'addr' to 'addr_hint' for clarity. Security practitioners should apply these patches from the stable kernel branches (e.g., commits 8aca2bc96c833ba695ede7a45ad7784c836a262e and b79b6fe0737f233f0be1465052b7f0e75f324735) to mitigate the vulnerability in affected Linux distributions.