CVE-2024-44947 Overview
A vulnerability has been discovered in the Linux kernel's FUSE (Filesystem in Userspace) subsystem that allows information disclosure through uninitialized memory exposure. The fuse_notify_store() function fails to properly initialize page contents beyond end-of-file (EOF) before marking pages as uptodate, potentially exposing sensitive kernel memory to userspace processes via mmap().
Unlike fuse_do_readpage(), the fuse_notify_store() function does not enable page zeroing because it is designed to support partial page content modifications. This design decision creates a security gap where beyond-EOF page contents may remain uninitialized and subsequently become accessible to userspace applications through memory mapping operations.
Critical Impact
Local attackers with low privileges can exploit this information leak vulnerability to access uninitialized kernel memory contents, potentially exposing sensitive data from previous memory allocations. This primarily affects systems without init-on-alloc memory initialization enabled.
Affected Products
- Linux Kernel versions prior to patched releases
- Linux Kernel 6.11-rc1, 6.11-rc2, 6.11-rc3
- Systems without CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y or equivalent kernel command line parameter
Discovery Timeline
- September 2, 2024 - CVE-2024-44947 published to NVD
- November 3, 2025 - Last updated in NVD database
Technical Details for CVE-2024-44947
Vulnerability Analysis
This vulnerability stems from improper initialization in the FUSE filesystem's notification store mechanism (CWE-665: Improper Initialization). When the fuse_notify_store() function processes page data, it can leave portions of memory pages beyond the end-of-file position in an uninitialized state. These uninitialized memory regions may contain stale data from previous kernel allocations.
The critical issue arises when the function marks such pages as "uptodate" without ensuring all page contents are properly initialized. Once marked uptodate, userspace applications can access these pages through mmap() system calls, inadvertently gaining access to kernel memory contents that should have been zeroed or otherwise sanitized.
This information leak primarily impacts systems that do not have automatic memory initialization enabled via the CONFIG_INIT_ON_ALLOC_DEFAULT_ON kernel configuration option or the corresponding boot parameter. On affected systems, an attacker with local access could potentially recover sensitive information from kernel memory, including data from previous allocations.
Root Cause
The root cause lies in the asymmetric handling of page initialization between fuse_do_readpage() and fuse_notify_store(). While fuse_do_readpage() enables page zeroing to ensure clean memory pages, fuse_notify_store() intentionally omits this step to support partial page content updates. This design creates a security vulnerability where beyond-EOF page regions remain uninitialized before the page is marked as uptodate, allowing uninitialized memory to be exposed to userspace.
Attack Vector
The vulnerability requires local access and low privileges to exploit. An attacker would need to:
- Create or access a FUSE-mounted filesystem
- Trigger the fuse_notify_store() code path with carefully crafted operations
- Use mmap() to map the affected pages into their address space
- Read the beyond-EOF portions of the mapped pages to access uninitialized kernel memory
The attack is limited to information disclosure without direct impact on system integrity or availability. The exploitation complexity is low, requiring no user interaction.
Detection Methods for CVE-2024-44947
Indicators of Compromise
- Unusual mmap() system calls targeting FUSE-mounted filesystems
- Processes attempting to read beyond EOF positions on FUSE files
- Memory access patterns indicative of information disclosure attempts on FUSE mounts
- Abnormal FUSE notification activity from userspace filesystem daemons
Detection Strategies
- Monitor system calls related to FUSE operations, particularly mmap() with read permissions on FUSE filesystems
- Implement audit logging for FUSE mount operations and subsequent file access patterns
- Deploy kernel-level monitoring for fuse_notify_store() invocations followed by memory mapping operations
- Use security tools capable of detecting memory disclosure attack patterns
Monitoring Recommendations
- Enable comprehensive audit logging for FUSE-related kernel operations
- Monitor for processes accessing memory regions beyond expected file boundaries
- Track FUSE daemon behavior for anomalous notification patterns
- Consider enabling CONFIG_INIT_ON_ALLOC_DEFAULT_ON as a defense-in-depth measure while patching
How to Mitigate CVE-2024-44947
Immediate Actions Required
- Apply the latest kernel security patches from your Linux distribution
- Enable init-on-alloc via the init_on_alloc=1 kernel boot parameter as an immediate mitigation
- Review systems with FUSE filesystems for potential exploitation attempts
- Prioritize patching on multi-user systems where local privilege boundaries are security-critical
Patch Information
Multiple patches have been released across various kernel stable branches to address this vulnerability. The fix ensures that fuse_notify_store() properly initializes beyond-EOF page contents before marking pages as uptodate.
Key patch commits:
Debian users should refer to the Debian LTS Announcement for distribution-specific updates.
Additional technical details are available in the Project Zero Issue Report.
Workarounds
- Enable kernel memory initialization at boot with init_on_alloc=1 kernel parameter
- Rebuild the kernel with CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y if possible
- Restrict access to FUSE filesystem operations for untrusted users
- Consider disabling FUSE support on systems where it is not required until patches are applied
# Enable init-on-alloc via kernel boot parameter
# Add to GRUB configuration (/etc/default/grub)
GRUB_CMDLINE_LINUX="init_on_alloc=1"
# Update GRUB and reboot
sudo update-grub
sudo reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
