CVE-2024-36971
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-36971
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-36971.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-36971
- Aliases
-
- A-343727534
- ASB-A-343727534
- Downstream
- Related
- Published
- 2024-06-10T09:03:23.878Z
- Modified
- 2025-11-28T02:34:06.005404Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- net: fix __dst_negative_advice() race
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
net: fix _dstnegative_advice() race
_dstnegativeadvice() does not enforce proper RCU rules when sk->dstcache must be cleared, leading to possible UAF.
RCU rules are that we must first clear sk->skdstcache, then call dstrelease(olddst).
Note that skdstreset(sk) is implementing this protocol correctly, while _dstnegative_advice() uses the wrong order.
Given that ip6negativeadvice() has special logic against RTFCACHE, this means each of the three ->negativeadvice() existing methods must perform the skdstreset() themselves.
Note the check against NULL dst is centralized in _dstnegative_advice(), there is no need to duplicate it in various callbacks.
Many thanks to Clement Lecigne for tracking this issue.
This old bug became visible after the blamed commit, using UDP sockets.
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/36xxx/CVE-2024-36971.json" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/051c0bde9f0450a2ec3d62a86d2a0d2fad117f13
- https://git.kernel.org/stable/c/2295a7ef5c8c49241bff769e7826ef2582e532a6
- https://git.kernel.org/stable/c/5af198c387128a9d2ddd620b0f0803564a4d4508
- https://git.kernel.org/stable/c/81dd3c82a456b0015461754be7cb2693991421b4
- https://git.kernel.org/stable/c/92f1655aa2b2294d0b49925f3b875a634bd3b59e
- https://git.kernel.org/stable/c/b8af8e6118a6605f0e495a58d591ca94a85a50fc
- https://git.kernel.org/stable/c/db0082825037794c5dba9959c9de13ca34cc5e72
- https://git.kernel.org/stable/c/eacb8b195579c174a6d3e12a9690b206eb7f28cf
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/36xxx/CVE-2024-36971.json
- https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
- https://nvd.nist.gov/vuln/detail/CVE-2024-36971
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-36971
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduceda87cb3e48ee86d29868d3f59cfb9ce1a8fa63314Fixed051c0bde9f0450a2ec3d62a86d2a0d2fad117f13Fixeddb0082825037794c5dba9959c9de13ca34cc5e72Fixed2295a7ef5c8c49241bff769e7826ef2582e532a6Fixedeacb8b195579c174a6d3e12a9690b206eb7f28cfFixed81dd3c82a456b0015461754be7cb2693991421b4Fixed5af198c387128a9d2ddd620b0f0803564a4d4508Fixedb8af8e6118a6605f0e495a58d591ca94a85a50fcFixed92f1655aa2b2294d0b49925f3b875a634bd3b59e
Linux / Kernel
Package
- Name
- Kernel
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced4.6.0Fixed4.19.316
- Type
- ECOSYSTEM
- Events
-
Introduced4.20.0Fixed5.4.278
- Type
- ECOSYSTEM
- Events
-
Introduced5.5.0Fixed5.10.219
- Type
- ECOSYSTEM
- Events
-
Introduced5.11.0Fixed5.15.161
- Type
- ECOSYSTEM
- Events
-
Introduced5.16.0Fixed6.1.94
- Type
- ECOSYSTEM
- Events
-
Introduced6.2.0Fixed6.6.34
- Type
- ECOSYSTEM
- Events
-
Introduced6.7.0Fixed6.9.4