PatchSiren

PatchSiren cyber security CVE debrief

CVE-2015-2877 Redhat CVE debrief

CVE-2015-2877 describes an information-disclosure side channel in Linux Kernel Samepage Merging (KSM). The NVD record ties it to Linux kernel versions 2.6.32 through 4.x and some Red Hat Enterprise Linux releases, with low CVSS impact and a local attack vector. The supplied description also notes the vendor position that if this attack vector matters, deduplication should be disabled, which frames the issue as a shared-memory optimization with security tradeoffs in mutually untrusted tenant environments.

Vendor
Redhat
Product
CVE-2015-2877
CVSS
LOW 3.3
CISA KEV
Not listed in stored evidence
Original CVE published
2017-03-03
Original CVE updated
2026-05-13
Advisory published
2017-03-03
Advisory updated
2026-05-13

Who should care

Cloud and virtualization operators, Linux platform teams, and security engineers responsible for multi-tenant hosts or guest isolation. It is most relevant where memory deduplication/KSM is enabled across mutually untrusted workloads and where ASLR hardening matters.

Technical summary

NVD classifies the weakness as CWE-200 and assigns CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The issue concerns KSM's use of a write-timing side channel that can let a guest user infer information about other guest OS instances, supporting Cross-VM ASL Introspection (CAIN) against ASLR. The referenced material indicates the behavior is tied to memory deduplication/share-until-written operation, and the supplied vendor guidance is to disable deduplication if this attack vector is a concern.

Defensive priority

Moderate for multi-tenant virtualization or hosted environments that rely on KSM and shared deduplication; lower for single-tenant systems or hosts where KSM is not enabled. Priority increases when tenant isolation and ASLR resistance are part of the security model.

Recommended defensive actions

  • Verify whether KSM or broader memory deduplication is enabled on shared or multi-tenant hosts.
  • If cross-tenant side-channel risk is unacceptable, disable deduplication/KSM on those systems as described in the supplied vendor guidance.
  • Review whether the affected kernel and Red Hat Enterprise Linux versions listed by NVD are in use, and apply vendor-supported updates or configuration changes as appropriate.
  • Limit co-residency of mutually untrusted workloads on hosts that rely on memory deduplication for efficiency.
  • Treat this as an information-disclosure and isolation issue rather than a code-execution bug; update threat models accordingly.

Evidence notes

The evidence base supplied here is NVD and referenced third-party advisories/papers. NVD marks the weakness as CWE-200 and provides the CVSS vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, supporting a low-severity confidentiality-focused finding. The NVD CPE criteria include Linux kernel 2.6.32 through 4.20.15 and several Red Hat Enterprise Linux releases. The description explicitly states the vendor's view that disabling deduplication mitigates the relevant attack vector, and characterizes share-until-written approaches among mutually untrusting tenants as inherently detectable for information disclosure.

Official resources

Publicly disclosed through the CVE/NVD record on 2017-03-03, with supporting third-party advisories and a technical paper referenced by NVD. The supplied record was later modified on 2026-05-13.