CVE-2024-0443: Security Advisory and Response

A flaw was found in the blkgs destruction path in block/blk-cgroup.c in the Linux kernel, leading to a cgroup blkio memory leakage problem. This vulnerability has a moderate severity rating and a CVSS base score of 5.5, making it a medium-level security issue with a high impact on availability.

Understanding CVE-2024-0443

This vulnerability in the Linux kernel can allow an attacker with local access to cause system instability, such as triggering an out of memory error, due to a circular dependency issue in the blkgs destruction path.

What is CVE-2024-0443?

The vulnerability in the blkgs destruction path in the Linux kernel can lead to a cgroup blkio memory leakage problem. This occurs when blkcg and some blkgs are not freed after being made offline, creating a situation where an attacker could exploit the flaw to cause system instability.

The Impact of CVE-2024-0443

This vulnerability may allow a local attacker to exploit the flaw and cause system instability, potentially leading to an out of memory error. It poses a medium-level threat with a high impact on system availability.

Technical Details of CVE-2024-0443

The vulnerability is identified by a circular dependency in the destruction path of blkgs in the Linux kernel, specifically in block/blk-cgroup.c. When a cgroup is being destroyed, the blkcg reference count reaching 0 prevents blkcg and some blkgs from being freed after they are made offline, resulting in a cgroup blkio memory leakage problem.

Vulnerability Description

The circular dependency in the destruction path of blkgs in the Linux kernel leads to a cgroup blkio memory leakage problem, which can be exploited by a local attacker to induce system instability like an out of memory error.

Affected Systems and Versions

Red Hat Enterprise Linux 8. Affected version: 0:4.18.0-513.5.1.el8_9
Red Hat Enterprise Linux 9. Affected versions: kernel, kernel-rt
Fedora. Affected version: kernel (Some versions remain unaffected, as mentioned in the data)

Exploitation Mechanism

An attacker with local access could exploit the vulnerability by leveraging the circular dependency issue in the destruction path of blkgs, potentially causing system instability with severe consequences.

Mitigation and Prevention

To mitigate the impact of CVE-2024-0443, consider the following steps:

Immediate Steps to Take

Utilize the identified workarounds:

systemd.unified_cgroup_hierarchy=1

or

cgroup_disable=blkio

Long-Term Security Practices

Regularly update the kernel and related packages to patched versions
Implement strong access controls to limit local access and prevent unauthorized exploitation

Patching and Updates

Refer to the provided references for patching updates and security advisories to address CVE-2024-0443 effectively, minimizing the risk of exploitation and system instability.