TOSS 5 must clear the page allocator to prevent use-after-free attacks.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-282621 | TOSS-05-000030 | SV-282621r1200843_rule | CCI-000366 | medium |
| Description | ||||
| Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. | ||||
| STIG | Date | |||
| Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide | 2026-04-01 | |||
Details
Check Text (C-282621r1200843_chk)
Verify GRUB 2 is configured to enable page poisoning to mitigate use-after-free vulnerabilities.
Check that the current GRUB 2 configuration has page poisoning enabled using the following command:
$ sudo grubby --info=ALL | grep args | grep -v 'page_poison=1'
If any output is returned, this is a finding.
Fix Text (F-87087r1200842_fix)
Configure TOSS 5 to enable page poisoning with the following commands:
$ sudo grubby --update-kernel=ALL --args="page_poison=1"
Add or modify the following line in "/etc/default/grub" to ensure the configuration survives kernel updates:
GRUB_CMDLINE_LINUX="page_poison=1"