CVE-2024-49975

uprobes: fix kernel info leak via "[uprobes]" vma

Description

In the Linux kernel, the following vulnerability has been resolved: uprobes: fix kernel info leak via "[uprobes]" vma xol_add_vma() maps the uninitialized page allocated by __create_xol_area() into userspace. On some architectures (x86) this memory is readable even without VM_READ, VM_EXEC results in the same pgprot_t as VM_EXEC|VM_READ, although this doesn't really matter, debugger can read this memory anyway.

Category

5.5
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.03%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/f31f92107e5a8ecc8902705122c594e979a351fe
https://git.kernel.org/stable/c/fe5e9182d3e227476642ae2b312e2356c4d326a3
https://git.kernel.org/stable/c/f561b48d633ac2e7d0d667020fc634a96ade33a0 patch
https://git.kernel.org/stable/c/21cb47db1ec9765f91304763a24565ddc22d2492 patch
https://git.kernel.org/stable/c/24141df5a8615790950deedd926a44ddf1dfd6d8 patch
https://git.kernel.org/stable/c/5b981d8335e18aef7908a068529a3287258ff6d8 patch
https://git.kernel.org/stable/c/2aa45f43709ba2082917bd2973d02687075b6eee patch
https://git.kernel.org/stable/c/9634e8dc964a4adafa7e1535147abd7ec29441a6 patch
https://git.kernel.org/stable/c/34820304cc2cd1804ee1f8f3504ec77813d29c8e patch

Frequently Asked Questions

What is the severity of CVE-2024-49975?
CVE-2024-49975 has been scored as a medium severity vulnerability.
How to fix CVE-2024-49975?
To fix CVE-2024-49975, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-49975 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-49975 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-49975?
CVE-2024-49975 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.