CVE-2024-47745 Overview
CVE-2024-47745 is an authorization bypass vulnerability in the Linux kernel's memory management subsystem. The vulnerability exists in the remap_file_pages() syscall handler, which calls do_mmap() directly without invoking the security_mmap_file() LSM (Linux Security Module) hook. This missing security check allows attackers to bypass Write XOR Execute (W^X) policies enforced by SELinux, potentially enabling the creation of memory pages with RWX (Read-Write-Execute) permissions.
Critical Impact
Local attackers can bypass SELinux W^X security policies to create executable memory regions, potentially facilitating code injection attacks and privilege escalation on affected Linux systems.
Affected Products
- Linux Kernel (multiple versions)
- Debian Linux (via kernel packages)
- Enterprise Linux distributions using affected kernel versions
Discovery Timeline
- 2024-10-21 - CVE CVE-2024-47745 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2024-47745
Vulnerability Analysis
This vulnerability stems from an improper control flow implementation (CWE-670) in the Linux kernel's memory management code. When a process has previously called personality(READ_IMPLIES_EXEC) and subsequently invokes remap_file_pages() for RW (Read-Write) pages, the pages are remapped to RWX (Read-Write-Execute) without proper security validation. This occurs because the remap_file_pages() syscall handler bypasses the security_mmap_file() LSM hook that would normally enforce memory protection policies.
The vulnerability is similar to CVE-2016-10044, which achieved the same SELinux bypass through the AIO (Asynchronous I/O) subsystem. In both cases, the fundamental issue is a missing security check that allows memory protection policies to be circumvented.
Root Cause
The root cause is the absence of the security_mmap_file() LSM hook call within the remap_file_pages() syscall handler before invoking do_mmap(). The LSM framework provides security hooks that allow security modules like SELinux to enforce mandatory access controls. When this hook is not called, SELinux cannot validate whether the memory mapping request complies with the system's security policy, specifically the W^X policy that prevents memory pages from being both writable and executable simultaneously.
Attack Vector
The attack requires local access to the system and low privileges. An attacker can exploit this vulnerability by:
- Creating a memory-mapped file using memfd_create() and mmap() with PROT_READ | PROT_WRITE permissions
- Modifying the process personality using personality(READ_IMPLIES_EXEC | old) to set the READ_IMPLIES_EXEC flag
- Calling remap_file_pages() on the mapped memory region
- The kernel will remap pages to RWX without SELinux validation
The CVE description includes a proof-of-concept demonstrating this attack chain. The PoC creates a shared memory mapping, enables READ_IMPLIES_EXEC personality, uses remap_file_pages() to remap pages, and then displays /proc/self/maps to show the resulting RWX memory region exists despite W^X policy enforcement.
Detection Methods for CVE-2024-47745
Indicators of Compromise
- Processes with unexpected RWX memory mappings visible in /proc/[pid]/maps
- Unusual remap_file_pages() syscall activity following personality() syscalls with READ_IMPLIES_EXEC flag
- SELinux denials or anomalies related to memory execution permissions
- Processes using memfd_create() combined with personality modifications
Detection Strategies
- Monitor for remap_file_pages() syscalls using audit subsystem rules (e.g., auditctl -a always,exit -F arch=b64 -S remap_file_pages)
- Implement process memory monitoring to detect unexpected RWX regions in process address spaces
- Use SELinux audit logs to identify potential policy bypass attempts
- Deploy kernel-level monitoring for personality changes with READ_IMPLIES_EXEC flag
Monitoring Recommendations
- Enable comprehensive syscall auditing for memory management operations including mmap, remap_file_pages, and personality
- Configure SentinelOne Singularity platform for Linux endpoint monitoring with memory protection policy detection
- Implement periodic scanning of /proc/[pid]/maps for unexpected executable memory regions
- Set up alerting for processes that combine personality modifications with file remapping operations
How to Mitigate CVE-2024-47745
Immediate Actions Required
- Apply kernel patches from the official Linux kernel repository immediately
- Update to patched kernel versions available through your distribution's package manager
- Review and audit systems for potential exploitation attempts before patching
- Consider restricting access to the remap_file_pages() syscall via seccomp filters where applicable
Patch Information
The Linux kernel team has released patches to address this vulnerability. The fix adds the security_mmap_file() LSM hook call to the remap_file_pages() syscall handler, ensuring that security modules like SELinux can properly validate memory protection requests before they are executed.
Official patches are available through the following kernel git commits:
- Kernel Git Commit 3393fdd
- Kernel Git Commit 49d3a4a
- Kernel Git Commit ce14f38
- Kernel Git Commit ea7e2d5
Debian users should refer to the Debian LTS Announcement for distribution-specific updates.
Workarounds
- Use seccomp filters to block or restrict remap_file_pages() syscall access for untrusted processes
- Implement application sandboxing with restricted syscall profiles that exclude remap_file_pages()
- Enable additional process isolation using container technologies with restricted syscall allowlists
- Monitor for exploitation attempts while awaiting patch deployment
# Example seccomp filter configuration (conceptual)
# Block remap_file_pages syscall using seccomp BPF
# Add to application startup or container security profile
# Syscall number for remap_file_pages: 216 (x86_64)
# Verify current kernel version
uname -r
# Check for available kernel updates
apt update && apt list --upgradable | grep linux-image
# or for RHEL-based systems
yum check-update kernel
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
