CyberSecurityBoard
Sponsor Register Login

Exploiting Side-Channel Leakage Enable Successful Exploitations on The Latest Linux Kernel

Their findings revealed that three specific defenses – enforcing strict memory permissions or virtualizing the kernel heap or kernel stack – unintentionally create exploitable TLB contention patterns. The Linux kernel employs various security measures to protect against exploitation, with a fundamental defense being the randomization of memory locations for security-critical objects. The technique, detailed in a USENIX Security paper, reveals how certain kernel defenses inadvertently create exploitable patterns that allow attackers to bypass randomization protections. The researchers demonstrate how enforcing strict memory permissions changes kernel memory mapping from 2MB to 4KB pages, creating exploitable TLB patterns. In a concerning development for Linux kernel security, researchers have demonstrated how side-channel leakage in kernel defenses can be exploited to compromise even the latest Linux kernels. By leveraging these patterns, attackers can reliably determine the locations of security-critical kernel objects, enabling stable and reliable privilege escalation. GitHub analyst Lukas Maar, along with researchers from Graz University of Technology, identified this vulnerability through a systematic analysis of 127 kernel defenses recommended by the Kernel Self-Protection Project or used within Google’s KernelCTF bug bounty program. The exploitation technique uses an “Evict+Reload” TLB side-channel attack to measure contention patterns and determine exactly where security-critical objects are located in memory. These attacks can leak the locations of critical kernel objects such as page tables, heap objects, and kernel stacks in just 0.3 to 17.8 seconds with minimal false positives. The attack leverages how certain kernel defenses change memory mapping from 2MB to 4KB pages. However, the researchers found that specific patterns in the Translation Lookaside Buffer (TLB) – a CPU buffer that stores virtual-to-physical address translations – can be exploited to leak these protected locations. The researchers developed what they call “location disclosure attacks” combining kernel allocator massaging with TLB side-channel techniques. When kernel defenses like CONFIG_STRICT_MODULE_RWX are enabled, they must split 2MB pages into 4KB pages to set proper permissions.

This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 02 Apr 2025 09:00:09 +0000


Cyber News related to Exploiting Side-Channel Leakage Enable Successful Exploitations on The Latest Linux Kernel

Vulnerability Summary for the Week of March 11, 2024 - Published 2024-03-15 CVSS Score not yet calculated Source & Patch Info CVE-2021-47111416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 PrimaryVendor - Product linux - linux Description In the ...
1 year ago Cisa.gov
Vulnerability Summary for the Week of March 4, 2024 - Published 2024-03-06 CVSS Score not yet calculated Source & Patch Info CVE-2023-52584416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 PrimaryVendor - ...
1 year ago Cisa.gov
CVE-2024-36886 - In the Linux kernel, the following vulnerability has been resolved: ...
11 months ago
Exploiting Side-Channel Leakage Enable Successful Exploitations on The Latest Linux Kernel - Their findings revealed that three specific defenses – enforcing strict memory permissions or virtualizing the kernel heap or kernel stack – unintentionally create exploitable TLB contention patterns. The Linux kernel employs various ...
2 months ago Cybersecuritynews.com
CVE-2024-26957 - In the Linux kernel, the following vulnerability has been resolved: ...
1 year ago
CVE-2024-26688 - In the Linux kernel, the following vulnerability has been resolved: fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super When configuring a hugetlb filesystem via the fsconfig() syscall, there is a possible NULL dereference in ...
1 year ago Tenable.com
CVE-2022-49123 - In the Linux kernel, the following vulnerability has been resolved: ...
3 months ago
CVE-2022-30426 - There is a stack buffer overflow vulnerability, which could lead to arbitrary code execution in UEFI DXE driver on some Acer products. An attack could exploit this vulnerability to escalate privilege from ring 3 to ring 0, and hijack control flow ...
2 years ago
CRN Recognizes three Check Point Channel Stars in its 2024 Women of the Channel list - CRN has recognized Check Point's Head of Americas Channel Sales, Nisha Holt, for her outstanding achievements as one of the Women of the Channel Power 100. Rebecca James and Lauren Ventura have also earned a spot on the esteemed Women of the Channel ...
1 year ago Blog.checkpoint.com
CVE-2024-44989 - In the Linux kernel, the following vulnerability has been resolved: ...
6 months ago
CVE-2022-48664 - In the Linux kernel, the following vulnerability has been resolved: ...
1 year ago
CVE-2022-49248 - In the Linux kernel, the following vulnerability has been resolved: ...
3 months ago
CVE-2022-49909 - In the Linux kernel, the following vulnerability has been resolved: ...
1 month ago
CVE-2024-56658 - In the Linux kernel, the following vulnerability has been resolved: net: defer final 'struct net' free in netns dismantle Ilya reported a slab-use-after-free in dst_destroy [1] Issue is in xfrm6_net_init() and xfrm4_net_init() : They copy ...
5 months ago Tenable.com
CVE-2022-48923 - In the Linux kernel, the following vulnerability has been resolved: ...
6 months ago
CVE-2022-49156 - In the Linux kernel, the following vulnerability has been resolved: ...
3 months ago
Imperva Client-Side Protection Mitigates the Polyfill Supply Chain Attack - The recent discovery of a website supply chain attack using the cdn. Polyfill.io domain has left many websites vulnerable to malicious code injection. Once a trusted resource for adding JavaScript polyfills to websites, the domain has recently become ...
11 months ago Imperva.com
CVE-2024-50106 - In the Linux kernel, the following vulnerability has been resolved: nfsd: fix race between laundromat and free_stateid There is a race between laundromat handling of revoked delegations and a client sending free_stateid operation. Laundromat thread ...
7 months ago Tenable.com
CVE-2019-14356 - ** DISPUTED ** On Coldcard MK1 and MK2 devices, a side channel for the row-based OLED display was found. The power consumption of each row-based display cycle depends on the number of illuminated pixels, allowing a partial recovery of display ...
3 years ago
CVE-2020-8023 - A acceptance of Extraneous Untrusted Data With Trusted Data vulnerability in the start script of openldap2 of SUSE Enterprise Storage 5, SUSE Linux Enterprise Debuginfo 11-SP3, SUSE Linux Enterprise Debuginfo 11-SP4, SUSE Linux Enterprise Point of ...
4 years ago
CVE-2024-57896 - In the Linux kernel, the following vulnerability has been resolved: btrfs: flush delalloc workers queue before stopping cleaner kthread during unmount During the unmount path, at close_ctree(), we first stop the cleaner kthread, using kthread_stop() ...
5 months ago Tenable.com
CVE-2021-47118 - In the Linux kernel, the following vulnerability has been resolved: ...
1 year ago
CVE-2021-47512 - In the Linux kernel, the following vulnerability has been resolved: ...
1 year ago
CVE-2024-44951 - In the Linux kernel, the following vulnerability has been resolved: ...
6 months ago
CVE-2025-21938 - In the Linux kernel, the following vulnerability has been resolved: ...
2 months ago

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)