Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-0564

CVE-2024-0564: Linux Kernel Information Disclosure Flaw

CVE-2024-0564 is an information disclosure vulnerability in Linux Kernel's memory deduplication mechanism that enables side-channel attacks. This article covers the technical details, affected versions, and mitigation strategies.

Published:

CVE-2024-0564 Overview

A side channel vulnerability was discovered in the Linux kernel's Kernel Samepage Merging (KSM) memory deduplication mechanism. This flaw, introduced in Linux kernel version 4.4.0-96.119, allows an attacker sharing the same host as a victim to exploit the timing of memory unmap operations to infer information about the victim's memory pages. The vulnerability specifically targets the "max page sharing" feature with its default setting of 256 pages.

Critical Impact

Attackers on shared hosting environments can leverage timing side channels to leak sensitive information from victim memory pages through the KSM deduplication mechanism.

Affected Products

  • Linux Linux Kernel (versions with KSM max page sharing feature)
  • Red Hat Enterprise Linux 8.0
  • Red Hat Enterprise Linux 9.0

Discovery Timeline

  • January 30, 2024 - CVE-2024-0564 published to NVD
  • November 25, 2024 - Last updated in NVD database

Technical Details for CVE-2024-0564

Vulnerability Analysis

This vulnerability is classified as CWE-203 (Observable Discrepancy), a side channel attack that exploits observable differences in system behavior. The flaw exists in how the Linux kernel's Kernel Samepage Merging (KSM) handles memory page deduplication across different processes on the same host.

KSM is a memory-saving de-duplication feature that scans memory for identical pages and merges them into a single page, reducing overall memory footprint in virtualized and containerized environments. However, the implementation of the "max page sharing" feature creates a measurable timing difference that can be exploited.

When an attacker and victim share the same physical host, the attacker can craft memory pages designed to match the victim's pages. By measuring the time it takes to unmap these pages, the attacker can determine whether a merge occurred with the victim's page. The timing varies based on whether the unmap operation triggers the creation of additional physical pages beyond KSM's max page share limit of 256.

Root Cause

The root cause lies in the observable timing discrepancy during memory unmap operations when KSM page sharing reaches its configured maximum threshold. The default configuration of max page sharing=256 creates a predictable boundary condition that attackers can exploit to determine whether their crafted pages have been merged with victim pages. This timing leak reveals information about the victim's memory contents through the measurable performance differential.

Attack Vector

This vulnerability requires adjacent network access (same host environment), meaning the attacker must be co-located on the same physical machine as the victim. This is common in cloud computing, virtualized environments, and shared hosting scenarios.

The attack works by:

  1. The attacker creates memory pages with specific content patterns
  2. KSM scans and potentially merges identical pages between attacker and victim
  3. When unmapping, the attacker measures the operation timing
  4. Timing differences reveal whether a merge occurred, leaking information about victim memory contents
  5. By iterating with different page contents, the attacker can progressively leak victim data

The attack does not require privileges and needs no user interaction, making it particularly concerning for multi-tenant environments where memory isolation is critical for security.

Detection Methods for CVE-2024-0564

Indicators of Compromise

  • Unusual patterns of memory page allocations and deallocations from specific processes
  • Abnormal KSM merge/unmerge activity rates that deviate from baseline behavior
  • Processes repeatedly creating and unmapping memory pages with similar timing patterns
  • High-frequency memory operations from processes that don't typically exhibit such behavior

Detection Strategies

  • Monitor KSM statistics via /sys/kernel/mm/ksm/ for anomalous merging patterns
  • Implement kernel auditing to track unusual memory operations and page table modifications
  • Deploy host-based intrusion detection systems (HIDS) configured to detect timing-based side channel indicators
  • Establish baseline metrics for KSM activity and alert on significant deviations

Monitoring Recommendations

  • Enable detailed logging of KSM operations on multi-tenant systems
  • Track process memory behavior patterns, especially in virtualized or containerized environments
  • Monitor for processes exhibiting high-frequency map/unmap cycles with minimal actual memory usage
  • Review access logs for processes running on shared hosts that exhibit suspicious memory patterns

How to Mitigate CVE-2024-0564

Immediate Actions Required

  • Evaluate the need for KSM in your environment and disable it if not required using echo 0 > /sys/kernel/mm/ksm/run
  • Reduce the max_page_sharing value to limit the attack surface in shared environments
  • Isolate sensitive workloads on dedicated physical hosts where possible
  • Apply vendor-provided patches and updates as they become available

Patch Information

Organizations should consult their Linux distribution vendor for specific patch availability. Detailed information can be found in the Red Hat CVE-2024-0564 Advisory and Red Hat Bugzilla #2258514. Ubuntu users can reference Ubuntu Bug Report #1680513 for additional details and tracking.

Workarounds

  • Disable KSM entirely on systems handling sensitive workloads where memory deduplication is not critical
  • Implement strict tenant isolation by avoiding co-location of untrusted and sensitive workloads
  • Reduce max_page_sharing to a lower value to increase the difficulty of exploitation
  • Consider alternative memory optimization techniques that don't introduce side channel risks
bash
# Disable KSM if not required
echo 0 > /sys/kernel/mm/ksm/run

# Alternatively, reduce max_page_sharing to limit attack surface
echo 8 > /sys/kernel/mm/ksm/max_page_sharing

# Verify KSM status
cat /sys/kernel/mm/ksm/run
cat /sys/kernel/mm/ksm/max_page_sharing

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne