{ "document": { "aggregate_severity": { "text": "Important" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/ubuntu20.04els/vex/2024/cve-2024-46787-els_os-ubuntu20_04els.json" } ], "title": "Security update on CVE-2024-46787", "tracking": { "current_release_date": "2025-12-23T22:15:38Z", "generator": { "date": "2025-12-23T22:15:38Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2024-46787-ELS_OS-UBUNTU20.04ELS", "initial_release_date": "2024-09-18T08:15:00Z", "revision_history": [ { "date": "2024-09-18T08:15:00Z", "number": "1", "summary": "Initial version" }, { "date": "2025-07-21T08:19:10Z", "number": "2", "summary": "Official Publication" }, { "date": "2025-12-23T22:15:38Z", "number": "3", "summary": "Update document" } ], "status": "final", "version": "2" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Ubuntu 20.04", "product": { "name": "Ubuntu 20.04", "product_id": "Ubuntu-20", "product_identification_helper": { "cpe": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*" } } } ], "category": "product_family", "name": "Ubuntu" } ], "category": "vendor", "name": "Canonical Ltd." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "linux-modules-5.4.0-220-tuxcare.els2-lowlatency-0:5.4.0-220.240.amd64", "product": { "name": "linux-modules-5.4.0-220-tuxcare.els2-lowlatency-0:5.4.0-220.240.amd64", "product_id": "linux-modules-5.4.0-220-tuxcare.els2-lowlatency-0:5.4.0-220.240.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/linux-modules-5.4.0-220-tuxcare.els2-lowlatency@5.4.0-220.240?arch=amd64" } } }, { "category": "product_version", "name": "linux-cloud-tools-5.4.0-220-tuxcare.els2-generic-0:5.4.0-220.240.amd64", "product": { "name": "linux-cloud-tools-5.4.0-220-tuxcare.els2-generic-0:5.4.0-220.240.amd64", "product_id": "linux-cloud-tools-5.4.0-220-tuxcare.els2-generic-0:5.4.0-220.240.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/linux-cloud-tools-5.4.0-220-tuxcare.els2-generic@5.4.0-220.240?arch=amd64" } } }, { "category": "product_version", "name": "linux-modules-extra-5.4.0-220-tuxcare.els2-generic-0:5.4.0-220.240.amd64", "product": { "name": "linux-modules-extra-5.4.0-220-tuxcare.els2-generic-0:5.4.0-220.240.amd64", "product_id": "linux-modules-extra-5.4.0-220-tuxcare.els2-generic-0:5.4.0-220.240.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/linux-modules-extra-5.4.0-220-tuxcare.els2-generic@5.4.0-220.240?arch=amd64" } } }, { "category": "product_version", "name": "linux-headers-5.4.0-220-tuxcare.els2-lowlatency-0:5.4.0-220.240.amd64", "product": { "name": "linux-headers-5.4.0-220-tuxcare.els2-lowlatency-0:5.4.0-220.240.amd64", "product_id": "linux-headers-5.4.0-220-tuxcare.els2-lowlatency-0:5.4.0-220.240.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/linux-headers-5.4.0-220-tuxcare.els2-lowlatency@5.4.0-220.240?arch=amd64" } } }, { "category": "product_version", "name": "linux-image-unsigned-5.4.0-220-tuxcare.els2-generic-0:5.4.0-220.240.amd64", "product": { "name": "linux-image-unsigned-5.4.0-220-tuxcare.els2-generic-0:5.4.0-220.240.amd64", "product_id": "linux-image-unsigned-5.4.0-220-tuxcare.els2-generic-0:5.4.0-220.240.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/linux-image-unsigned-5.4.0-220-tuxcare.els2-generic@5.4.0-220.240?arch=amd64" } } }, { "category": "product_version", "name": "linux-tools-5.4.0-220-tuxcare.els2-lowlatency-0:5.4.0-220.240.amd64", "product": { "name": "linux-tools-5.4.0-220-tuxcare.els2-lowlatency-0:5.4.0-220.240.amd64", "product_id": "linux-tools-5.4.0-220-tuxcare.els2-lowlatency-0:5.4.0-220.240.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/linux-tools-5.4.0-220-tuxcare.els2-lowlatency@5.4.0-220.240?arch=amd64" } } }, { "category": "product_version", "name": "linux-headers-5.4.0-220-tuxcare.els2-generic-0:5.4.0-220.240.amd64", "product": { "name": "linux-headers-5.4.0-220-tuxcare.els2-generic-0:5.4.0-220.240.amd64", "product_id": "linux-headers-5.4.0-220-tuxcare.els2-generic-0:5.4.0-220.240.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/linux-headers-5.4.0-220-tuxcare.els2-generic@5.4.0-220.240?arch=amd64" } } }, { "category": "product_version", "name": "linux-tools-5.4.0-220-tuxcare.els2-generic-0:5.4.0-220.240.amd64", "product": { "name": "linux-tools-5.4.0-220-tuxcare.els2-generic-0:5.4.0-220.240.amd64", "product_id": "linux-tools-5.4.0-220-tuxcare.els2-generic-0:5.4.0-220.240.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/linux-tools-5.4.0-220-tuxcare.els2-generic@5.4.0-220.240?arch=amd64" } } }, { "category": "product_version", "name": "linux-cloud-tools-5.4.0-220-tuxcare.els2-0:5.4.0-220.240.amd64", "product": { "name": "linux-cloud-tools-5.4.0-220-tuxcare.els2-0:5.4.0-220.240.amd64", "product_id": "linux-cloud-tools-5.4.0-220-tuxcare.els2-0:5.4.0-220.240.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/linux-cloud-tools-5.4.0-220-tuxcare.els2@5.4.0-220.240?arch=amd64" } } } ], "category": "architecture", "name": "amd64" }, { "branches": [ { "category": "product_version", "name": "linux-cloud-tools-common-0:5.4.0-220.240.all", "product": { "name": "linux-cloud-tools-common-0:5.4.0-220.240.all", "product_id": "linux-cloud-tools-common-0:5.4.0-220.240.all", "product_identification_helper": { "purl": "pkg:deb/tuxcare/linux-cloud-tools-common@5.4.0-220.240?arch=all" } } } ], "category": "architecture", "name": "all" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "linux-modules-5.4.0-220-tuxcare.els2-lowlatency-0:5.4.0-220.240.amd64 as a component of Ubuntu 20.04", "product_id": "Ubuntu-20:linux-modules-5.4.0-220-tuxcare.els2-lowlatency-0:5.4.0-220.240.amd64" }, "product_reference": "linux-modules-5.4.0-220-tuxcare.els2-lowlatency-0:5.4.0-220.240.amd64", "relates_to_product_reference": "Ubuntu-20" }, { "category": "default_component_of", "full_product_name": { "name": "linux-cloud-tools-5.4.0-220-tuxcare.els2-generic-0:5.4.0-220.240.amd64 as a component of Ubuntu 20.04", "product_id": "Ubuntu-20:linux-cloud-tools-5.4.0-220-tuxcare.els2-generic-0:5.4.0-220.240.amd64" }, "product_reference": "linux-cloud-tools-5.4.0-220-tuxcare.els2-generic-0:5.4.0-220.240.amd64", "relates_to_product_reference": "Ubuntu-20" }, { "category": "default_component_of", "full_product_name": { "name": "linux-modules-extra-5.4.0-220-tuxcare.els2-generic-0:5.4.0-220.240.amd64 as a component of Ubuntu 20.04", "product_id": "Ubuntu-20:linux-modules-extra-5.4.0-220-tuxcare.els2-generic-0:5.4.0-220.240.amd64" }, "product_reference": "linux-modules-extra-5.4.0-220-tuxcare.els2-generic-0:5.4.0-220.240.amd64", "relates_to_product_reference": "Ubuntu-20" }, { "category": "default_component_of", "full_product_name": { "name": "linux-headers-5.4.0-220-tuxcare.els2-lowlatency-0:5.4.0-220.240.amd64 as a component of Ubuntu 20.04", "product_id": "Ubuntu-20:linux-headers-5.4.0-220-tuxcare.els2-lowlatency-0:5.4.0-220.240.amd64" }, "product_reference": "linux-headers-5.4.0-220-tuxcare.els2-lowlatency-0:5.4.0-220.240.amd64", "relates_to_product_reference": "Ubuntu-20" }, { "category": "default_component_of", "full_product_name": { "name": "linux-cloud-tools-common-0:5.4.0-220.240.all as a component of Ubuntu 20.04", "product_id": "Ubuntu-20:linux-cloud-tools-common-0:5.4.0-220.240.all" }, "product_reference": "linux-cloud-tools-common-0:5.4.0-220.240.all", "relates_to_product_reference": "Ubuntu-20" }, { "category": "default_component_of", "full_product_name": { "name": "linux-image-unsigned-5.4.0-220-tuxcare.els2-generic-0:5.4.0-220.240.amd64 as a component of Ubuntu 20.04", "product_id": "Ubuntu-20:linux-image-unsigned-5.4.0-220-tuxcare.els2-generic-0:5.4.0-220.240.amd64" }, "product_reference": "linux-image-unsigned-5.4.0-220-tuxcare.els2-generic-0:5.4.0-220.240.amd64", "relates_to_product_reference": "Ubuntu-20" }, { "category": "default_component_of", "full_product_name": { "name": "linux-tools-5.4.0-220-tuxcare.els2-lowlatency-0:5.4.0-220.240.amd64 as a component of Ubuntu 20.04", "product_id": "Ubuntu-20:linux-tools-5.4.0-220-tuxcare.els2-lowlatency-0:5.4.0-220.240.amd64" }, "product_reference": "linux-tools-5.4.0-220-tuxcare.els2-lowlatency-0:5.4.0-220.240.amd64", "relates_to_product_reference": "Ubuntu-20" }, { "category": "default_component_of", "full_product_name": { "name": "linux-headers-5.4.0-220-tuxcare.els2-generic-0:5.4.0-220.240.amd64 as a component of Ubuntu 20.04", "product_id": "Ubuntu-20:linux-headers-5.4.0-220-tuxcare.els2-generic-0:5.4.0-220.240.amd64" }, "product_reference": "linux-headers-5.4.0-220-tuxcare.els2-generic-0:5.4.0-220.240.amd64", "relates_to_product_reference": "Ubuntu-20" }, { "category": "default_component_of", "full_product_name": { "name": "linux-tools-5.4.0-220-tuxcare.els2-generic-0:5.4.0-220.240.amd64 as a component of Ubuntu 20.04", "product_id": "Ubuntu-20:linux-tools-5.4.0-220-tuxcare.els2-generic-0:5.4.0-220.240.amd64" }, "product_reference": "linux-tools-5.4.0-220-tuxcare.els2-generic-0:5.4.0-220.240.amd64", "relates_to_product_reference": "Ubuntu-20" }, { "category": "default_component_of", "full_product_name": { "name": "linux-cloud-tools-5.4.0-220-tuxcare.els2-0:5.4.0-220.240.amd64 as a component of Ubuntu 20.04", "product_id": "Ubuntu-20:linux-cloud-tools-5.4.0-220-tuxcare.els2-0:5.4.0-220.240.amd64" }, "product_reference": "linux-cloud-tools-5.4.0-220-tuxcare.els2-0:5.4.0-220.240.amd64", "relates_to_product_reference": "Ubuntu-20" } ] }, "vulnerabilities": [ { "cve": "CVE-2024-46787", "notes": [ { "category": "description", "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nuserfaultfd: fix checks for huge PMDs\n\nPatch series \"userfaultfd: fix races around pmd_trans_huge() check\", v2.\n\nThe pmd_trans_huge() code in mfill_atomic() is wrong in three different\nways depending on kernel version:\n\n1. The pmd_trans_huge() check is racy and can lead to a BUG_ON() (if you hit\n the right two race windows) - I've tested this in a kernel build with\n some extra mdelay() calls. See the commit message for a description\n of the race scenario.\n On older kernels (before 6.5), I think the same bug can even\n theoretically lead to accessing transhuge page contents as a page table\n if you hit the right 5 narrow race windows (I haven't tested this case).\n2. As pointed out by Qi Zheng, pmd_trans_huge() is not sufficient for\n detecting PMDs that don't point to page tables.\n On older kernels (before 6.5), you'd just have to win a single fairly\n wide race to hit this.\n I've tested this on 6.1 stable by racing migration (with a mdelay()\n patched into try_to_migrate()) against UFFDIO_ZEROPAGE - on my x86\n VM, that causes a kernel oops in ptlock_ptr().\n3. On newer kernels (>=6.5), for shmem mappings, khugepaged is allowed\n to yank page tables out from under us (though I haven't tested that),\n so I think the BUG_ON() checks in mfill_atomic() are just wrong.\n\nI decided to write two separate fixes for these (one fix for bugs 1+2, one\nfix for bug 3), so that the first fix can be backported to kernels\naffected by bugs 1+2.\n\n\nThis patch (of 2):\n\nThis fixes two issues.\n\nI discovered that the following race can occur:\n\n mfill_atomic other thread\n ============ ============\n \n pmdp_get_lockless() [reads none pmd]\n \n \n \n __pte_alloc [no-op]\n \n \n BUG_ON(pmd_none(*dst_pmd))\n\nI have experimentally verified this in a kernel with extra mdelay() calls;\nthe BUG_ON(pmd_none(*dst_pmd)) triggers.\n\nOn kernels newer than commit 0d940a9b270b (\"mm/pgtable: allow\npte_offset_map[_lock]() to fail\"), this can't lead to anything worse than\na BUG_ON(), since the page table access helpers are actually designed to\ndeal with page tables concurrently disappearing; but on older kernels\n(<=6.4), I think we could probably theoretically race past the two\nBUG_ON() checks and end up treating a hugepage as a page table.\n\nThe second issue is that, as Qi Zheng pointed out, there are other types\nof huge PMDs that pmd_trans_huge() can't catch: devmap PMDs and swap PMDs\n(in particular, migration PMDs).\n\nOn <=6.4, this is worse than the first issue: If mfill_atomic() runs on a\nPMD that contains a migration entry (which just requires winning a single,\nfairly wide race), it will pass the PMD to pte_offset_map_lock(), which\nassumes that the PMD points to a page table.\n\nBreakage follows: First, the kernel tries to take the PTE lock (which will\ncrash or maybe worse if there is no \"struct page\" for the address bits in\nthe migration entry PMD - I think at least on X86 there usually is no\ncorresponding \"struct page\" thanks to the PTE inversion mitigation, amd64\nlooks different).\n\nIf that didn't crash, the kernel would next try to write a PTE into what\nit wrongly thinks is a page table.\n\nAs part of fixing these issues, get rid of the check for pmd_trans_huge()\nbefore __pte_alloc() - that's redundant, we're going to have to check for\nthat after the __pte_alloc() anyway.\n\nBackport note: pmdp_get_lockless() is pmd_read_atomic() in older kernels.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Ubuntu-20:linux-modules-5.4.0-220-tuxcare.els2-lowlatency-0:5.4.0-220.240.amd64", "Ubuntu-20:linux-cloud-tools-5.4.0-220-tuxcare.els2-generic-0:5.4.0-220.240.amd64", "Ubuntu-20:linux-modules-extra-5.4.0-220-tuxcare.els2-generic-0:5.4.0-220.240.amd64", "Ubuntu-20:linux-headers-5.4.0-220-tuxcare.els2-lowlatency-0:5.4.0-220.240.amd64", "Ubuntu-20:linux-cloud-tools-common-0:5.4.0-220.240.all", "Ubuntu-20:linux-image-unsigned-5.4.0-220-tuxcare.els2-generic-0:5.4.0-220.240.amd64", "Ubuntu-20:linux-tools-5.4.0-220-tuxcare.els2-lowlatency-0:5.4.0-220.240.amd64", "Ubuntu-20:linux-headers-5.4.0-220-tuxcare.els2-generic-0:5.4.0-220.240.amd64", "Ubuntu-20:linux-tools-5.4.0-220-tuxcare.els2-generic-0:5.4.0-220.240.amd64", "Ubuntu-20:linux-cloud-tools-5.4.0-220-tuxcare.els2-0:5.4.0-220.240.amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2024-46787" }, { "category": "external", "summary": "https://git.kernel.org/stable/c/3c6b4bcf37845c9359aed926324bed66bdd2448d", "url": "https://git.kernel.org/stable/c/3c6b4bcf37845c9359aed926324bed66bdd2448d" }, { "category": "external", "summary": "https://git.kernel.org/stable/c/71c186efc1b2cf1aeabfeff3b9bd5ac4c5ac14d8", "url": "https://git.kernel.org/stable/c/71c186efc1b2cf1aeabfeff3b9bd5ac4c5ac14d8" }, { "category": "external", "summary": "https://git.kernel.org/stable/c/98cc18b1b71e23fe81a5194ed432b20c2d81a01a", "url": "https://git.kernel.org/stable/c/98cc18b1b71e23fe81a5194ed432b20c2d81a01a" } ], "release_date": "2024-09-18T08:15:00", "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Ubuntu-20:linux-modules-5.4.0-220-tuxcare.els2-lowlatency-0:5.4.0-220.240.amd64", "Ubuntu-20:linux-cloud-tools-5.4.0-220-tuxcare.els2-generic-0:5.4.0-220.240.amd64", "Ubuntu-20:linux-modules-extra-5.4.0-220-tuxcare.els2-generic-0:5.4.0-220.240.amd64", "Ubuntu-20:linux-headers-5.4.0-220-tuxcare.els2-lowlatency-0:5.4.0-220.240.amd64", "Ubuntu-20:linux-cloud-tools-common-0:5.4.0-220.240.all", "Ubuntu-20:linux-image-unsigned-5.4.0-220-tuxcare.els2-generic-0:5.4.0-220.240.amd64", "Ubuntu-20:linux-tools-5.4.0-220-tuxcare.els2-lowlatency-0:5.4.0-220.240.amd64", "Ubuntu-20:linux-headers-5.4.0-220-tuxcare.els2-generic-0:5.4.0-220.240.amd64", "Ubuntu-20:linux-tools-5.4.0-220-tuxcare.els2-generic-0:5.4.0-220.240.amd64", "Ubuntu-20:linux-cloud-tools-5.4.0-220-tuxcare.els2-0:5.4.0-220.240.amd64" ] } ], "threats": [ { "category": "impact", "details": "Medium" } ] } ] }