LiveActive security incident?Get immediate response
CVE Record

CVE-2024-40947: ima: Avoid blocking in RCU read-side critical section

In the Linux kernel, the following vulnerability has been resolved: ima: Avoid blocking in RCU read-side critical section A panic happens in ima_match_policy: BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 PGD 42f873067 P4D 0 Oops: 0000 [#1] SMP NOPTI CPU: 5 PID: 1286325 Comm: kubeletmonit.sh Kdump: loaded Tainted: P Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015 RIP: 0010:ima_match_policy+0x84/0x450 Code: 49 89 fc 41 89 cf 31 ed 89 44 24 14 eb 1c 44 39 7b 18 74 26 41 83 ff 05 74 20 48 8b 1b 48 3b 1d f2 b9 f4 00 0f 84 9c 01 00 00 <44> 85 73 10 74 ea 44 8b 6b 14 41 f6 c5 01 75 d4 41 f6 c5 02 74 0f RSP: 0018:ff71570009e07a80 EFLAGS: 00010207 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000200 RDX: ffffffffad8dc7c0 RSI: 0000000024924925 RDI: ff3e27850dea2000 RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffabfce739 R10: ff3e27810cc42400 R11: 0000000000000000 R12: ff3e2781825ef970 R13: 00000000ff3e2785 R14: 000000000000000c R15: 0000000000000001 FS: 00007f5195b51740(0000) GS:ff3e278b12d40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 0000000626d24002 CR4: 0000000000361ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ima_get_action+0x22/0x30 process_measurement+0xb0/0x830 ? page_add_file_rmap+0x15/0x170 ? alloc_set_pte+0x269/0x4c0 ? prep_new_page+0x81/0x140 ? simple_xattr_get+0x75/0xa0 ? selinux_file_open+0x9d/0xf0 ima_file_check+0x64/0x90 path_openat+0x571/0x1720 do_filp_open+0x9b/0x110 ? page_counter_try_charge+0x57/0xc0 ? files_cgroup_alloc_fd+0x38/0x60 ? __alloc_fd+0xd4/0x250 ? do_sys_open+0x1bd/0x250 do_sys_open+0x1bd/0x250 do_syscall_64+0x5d/0x1d0 entry_SYSCALL_64_after_hwframe+0x65/0xca Commit c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()") introduced call to ima_lsm_copy_rule within a RCU read-side critical section which contains kmalloc with GFP_KERNEL. This implies a possible sleep and violates limitations of RCU read-side critical sections on non-PREEMPT systems. Sleeping within RCU read-side critical section might cause synchronize_rcu() returning early and break RCU protection, allowing a UAF to happen. The root cause of this issue could be described as follows: | Thread A | Thread B | | |ima_match_policy | | | rcu_read_lock | |ima_lsm_update_rule | | | synchronize_rcu | | | | kmalloc(GFP_KERNEL)| | | sleep | ==> synchronize_rcu returns early | kfree(entry) | | | | entry = entry->next| ==> UAF happens and entry now becomes NULL (or could be anything). | | entry->action | ==> Accessing entry might cause panic. To fix this issue, we are converting all kmalloc that is called within RCU read-side critical section to use GFP_ATOMIC. [PM: fixed missing comment, long lines, !CONFIG_IMA_LSM_RULES case]

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2024-40947 is a Linux kernel IMA bug where policy checking can sleep inside an RCU critical section. The source describes possible use-after-free behavior and a kernel panic. Business impact is primarily reliability and host availability risk on affected kernels, not confirmed remote compromise.

Executive priority

Treat as a scheduled kernel reliability fix unless your Linux fleet relies heavily on IMA or has exposed instability. Escalate for critical servers where host panic would affect service availability. There is no source-backed evidence of active exploitation.

Technical view

The vulnerable path is ima_match_policy after commit c7423dbdbc9e added ima_lsm_copy_rule inside rcu_read_lock. That path can allocate with GFP_KERNEL and sleep, allowing synchronize_rcu to return early on non-PREEMPT systems. The fix changes these allocations to GFP_ATOMIC.

Likely exposure

Exposure is Linux systems running affected kernel versions or downstream packages containing the faulty IMA change. Risk is most relevant where IMA policy evaluation is enabled or exercised. The bundle lists affected Linux versions including 5.10.222, 5.15.163, 6.1.98, 6.6.39, 6.9.7, and 6.10.

Exploitation context

The bundle does not report active exploitation, and KEV is false. The described failure can occur through kernel IMA policy evaluation and may cause panic through use-after-free behavior. No public exploit technique, attacker prerequisites, or remote attack path is established in the provided evidence.

Researcher notes

The source identifies a concurrency bug in IMA caused by GFP_KERNEL allocation under RCU read-side locking. The practical trigger conditions and attacker control are not fully described. Analysis should focus on affected kernel lineage, IMA configuration, and whether downstream kernels backported the faulty commit or fix.

Mitigation direction

  • Update to a Linux kernel containing the referenced stable fixes.
  • Use distribution security advisories for exact package versions and reboot requirements.
  • Prioritize systems using IMA or strict integrity measurement policies.
  • If patching is delayed, monitor vendor guidance for supported mitigations.
  • Do not deploy custom kernel workarounds without vendor validation.

Validation and detection

  • Inventory kernel versions across servers, containers hosts, and appliances.
  • Check whether IMA is enabled and policies are loaded.
  • Map running kernels against vendor fixed package advisories.
  • Review kernel logs for IMA-related panics or crashes.
  • Confirm patched systems boot into the updated kernel.
Prepared
Confidence
medium
Sources
9

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2024-40947 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
2ADP providers
8Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxc4b035b1f036ddd53fbfced49046e586c5ad8a3e, 2d4bc60693c4206c64723e94ae5f7a04c0b8f18f, 8008f1691c15f353f5a53dc5d450b8262cb57421, c7423dbdbc9ecef7fff5239d144cad4b9887f4de, c7423dbdbc9ecef7fff5239d144cad4b9887f4de, c7423dbdbc9ecef7fff5239d144cad4b9887f4de, 38d48fd224036717fcb3437e7af1314f6ebcd2d0, 69c60b2a2dbb4887739d3a13297cc0dae3793f35, 5.10.163, 5.15.86, 6.1.2, 5.4.229, 6.0.16unaffected
LinuxLinux6.2, 0, 5.10.222, 5.15.163, 6.1.98, 6.6.39, 6.9.7, 6.10affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.