CVE-2024-50275 Overview
A race condition vulnerability exists in the Linux kernel's arm64 SVE (Scalable Vector Extension) trap handler. The vulnerability occurs when the SVE trap handler is preempted before and after manipulating saved FPSIMD/SVE state, potentially starting and ending on the same CPU. This race condition can result in a task having TIF_SVE set and TIF_FOREIGN_FPSTATE clear even though the live CPU state is stale (with SVE traps still enabled), leading to warnings and potential system instability.
Critical Impact
Local attackers with low privileges can exploit this race condition to potentially achieve high impact on confidentiality, integrity, and availability of affected arm64 systems running vulnerable Linux kernel versions.
Affected Products
- Linux Kernel versions 5.10.229 to 5.10.230 (excluding 5.10.230)
- Linux Kernel versions 6.1.116 to 6.1.118 (excluding 6.1.118)
- Linux Kernel versions 6.6.60 to 6.6.62 (excluding 6.6.62)
- Linux Kernel versions 6.11.7 to 6.11.9 (excluding 6.11.9)
- Linux Kernel 6.12 release candidates (rc1 through rc6)
Discovery Timeline
- 2024-11-19 - CVE-2024-50275 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2024-50275
Vulnerability Analysis
The vulnerability exists in the do_sve_acc() function within the Linux kernel's arm64 architecture-specific code. The function handles SVE traps but incorrectly manipulates saved FPSIMD/SVE state, creating a time-of-check to time-of-use (TOCTOU) race condition window when the process is preempted between operations.
When a task traps on CPU 0 with TIF_SVE clear and SVE traps enabled, the task->fpsimd_cpu is set to 0 and per_cpu_ptr(&fpsimd_last_state, 0) points to the task. If the trap handler is preempted and the task migrates from CPU 0 to CPU 1, TIF_FOREIGN_FPSTATE is set. However, if the task is preempted again and migrates back to CPU 0, the stale hardware state may be incorrectly reused because task->fpsimd_cpu still equals 0 and per_cpu_ptr(&fpsimd_last_state, 0) may still point to the task.
Root Cause
The root cause is the failure to properly discard stale CPU state when handling SVE traps in the arm64 architecture. The sve_init_regs() function within the trap handler does not call fpsimd_flush_task_state() to detach from the saved CPU state when TIF_FOREIGN_FPSTATE is set. This allows subsequent context switches to potentially reuse stale CPU state with SVE traps still enabled, resulting in TIF_FOREIGN_FPSTATE being incorrectly cleared and hardware state restoration being skipped on return to userspace.
Attack Vector
This is a local attack vector requiring low privileges. The vulnerability manifests through the following race condition scenario:
- A task traps on CPU 0 with TIF_SVE clear and SVE traps enabled
- The trap handler begins execution, acquiring the FPSIMD context
- The task is preempted and migrated to CPU 1, setting TIF_FOREIGN_FPSTATE
- The trap handler sets TIF_SVE and calls sve_init_regs() which processes the foreign state
- The task is preempted again and migrated back to CPU 0
- Since task->fpsimd_cpu still matches CPU 0, stale hardware state may be reused
- TIF_FOREIGN_FPSTATE is incorrectly cleared, causing the return to userspace to skip proper state restoration
The fix adds a call to fpsimd_flush_task_state() to ensure the saved CPU state is properly detached when the state is not live, forcing subsequent context switches to reload state from memory.
Detection Methods for CVE-2024-50275
Indicators of Compromise
- Kernel warning messages containing "SVE access shouldn't have trapped" in system logs
- WARN_ON(1) triggers from do_sve_acc() function indicating unexpected SVE traps while TIF_SVE is set
- Intermittent system instability on arm64 systems with SVE-enabled processors
- Unexpected behavior in applications utilizing SVE instructions
Detection Strategies
- Monitor kernel logs (dmesg or /var/log/kern.log) for warnings from the do_sve_acc() function
- Deploy kernel tracing probes on do_sve_acc() to detect anomalous trap handling patterns
- Use SentinelOne Singularity Platform to monitor for suspicious kernel-level activity and FPSIMD/SVE state manipulation anomalies
- Implement automated log analysis to detect patterns consistent with this race condition
Monitoring Recommendations
- Enable kernel debug options to capture detailed FPSIMD/SVE state transitions on affected arm64 systems
- Configure alerting for kernel warnings related to SVE trap handling
- Monitor system stability metrics on arm64 servers running vulnerable kernel versions
- Review process migration patterns across CPUs that may trigger the race condition
How to Mitigate CVE-2024-50275
Immediate Actions Required
- Update to patched Linux kernel versions immediately on all affected arm64 systems
- Prioritize patching for arm64 systems running SVE-enabled processors (ARMv8.2+ with SVE)
- Monitor kernel logs for any signs of exploitation attempts prior to patching
- Consider temporarily reducing CPU migration opportunities if patching cannot be performed immediately
Patch Information
Linux kernel maintainers have released patches to address this vulnerability. The fix involves calling fpsimd_flush_task_state() to properly detach from saved CPU state when TIF_FOREIGN_FPSTATE is set. Patched versions are available through the following commits:
Debian LTS users should refer to the Debian LTS Security Announcement for distribution-specific patch information.
Workarounds
- Pin critical SVE-utilizing processes to specific CPUs using taskset or cgroups to reduce migration-induced race conditions
- On non-production systems, consider disabling SVE support via kernel boot parameters if SVE functionality is not required
- Implement process affinity policies to minimize cross-CPU migrations during FPSIMD/SVE operations
- Deploy additional monitoring to detect exploitation attempts while awaiting patch deployment
# Configuration example - Pin process to specific CPU to reduce race condition exposure
taskset -c 0 ./sve_application
# Check if system has SVE support that could be affected
cat /proc/cpuinfo | grep -i sve
# Monitor for kernel warnings related to this vulnerability
dmesg | grep -i "SVE access shouldn't have trapped"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
