What is this vulnerability and why does it matter?

This vulnerability, identified as CVE-2024-0564, is a side-channel flaw found in the Linux kernel's memory deduplication mechanism, specifically within the Kernel Samepage Merging (KSM) feature. The 'max page sharing' aspect of KSM, introduced in Linux kernel version 4.4.0-96.119, can be exploited by an attacker. It matters because if an attacker and a victim share the same host, this flaw can allow the attacker to leak sensitive information from the victim's memory pages.

What are the CVSS score, severity level, and disclosure details?

The CVSS score for this vulnerability is 6.5, which typically corresponds to a Medium severity level. The vulnerability was publicly disclosed and published on 2024-01-30 15:01:08. The CVE record was last modified on 2025-11-21 06:24:25.

Which products, vendors, systems, and versions are affected?

This vulnerability affects systems running the Linux kernel. Specifically, any Linux kernel version from 4.4.0-96.119 onwards that includes the KSM 'max page sharing' feature and has not yet been patched is considered vulnerable.

What is the technical root cause and attack vector?

The technical root cause lies within a design flaw in the Kernel Samepage Merging (KSM) memory deduplication mechanism of the Linux kernel. When the default setting of KSM's "max page sharing=256" is active, an attacker can leverage a timing side channel. The attack vector involves an attacker co-resident on the same host as the victim, exploiting the timing differences observed during memory unmapping operations, particularly when additional physical pages are created beyond KSM's maximum shared page limit.

How can this vulnerability be exploited?

Exploitation of CVE-2024-0564 requires the attacker and the victim to share the same host. The attacker can exploit this by precisely timing the unmap operation of memory pages. If the attacker's unmap operation merges with a victim's page, and this action leads to the creation of additional physical pages beyond the KSM's "max page share" threshold (e.g., 256), the timing difference of this operation can be observed. This observed timing variation constitutes a side channel that allows the attacker to infer and subsequently leak content from the victim's memory pages.

How can vulnerable systems be detected?

Vulnerable systems can be detected by identifying the version of the Linux kernel in use. Systems running Linux kernel version 4.4.0-96.119 or any subsequent version that incorporates the KSM 'max page sharing' feature and has not received a patch for CVE-2024-0564 are vulnerable. Administrators should check their kernel versions and KSM configuration settings.

What public intelligence references and advisories exist?

The primary public intelligence reference for this vulnerability is its CVE identifier, CVE-2024-0564. The vulnerability was published on 2024-01-30 15:01:08, providing initial public awareness and details.

What is the risk assessment and urgency level?

The risk associated with CVE-2024-0564 is Medium, as indicated by its CVSS score of 6.5. This vulnerability allows for information leakage through a side-channel attack, which requires specific conditions, primarily co-tenancy on the same host as the victim. While not enabling direct arbitrary code execution, the potential for sensitive data exposure makes it a significant concern, especially in multi-tenant environments such as cloud computing platforms. The urgency level is moderate to high, depending on the environment's security posture and the sensitivity of data processed on shared hosts. Organizations operating virtualized or cloud environments where KSM is enabled should prioritize assessment and patching.