CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
43.6%
In the Linux kernel, the following vulnerability has been resolved: net:
fix __dst_negative_advice() race __dst_negative_advice() does not enforce
proper RCU rules when sk->dst_cache must be cleared, leading to possible
UAF. RCU rules are that we must first clear sk->sk_dst_cache, then call
dst_release(old_dst). Note that sk_dst_reset(sk) is implementing this
protocol correctly, while __dst_negative_advice() uses the wrong order.
Given that ip6_negative_advice() has special logic against RTF_CACHE, this
means each of the three ->negative_advice() existing methods must perform
the sk_dst_reset() themselves. Note the check against NULL dst is
centralized in __dst_negative_advice(), there is no need to duplicate it in
various callbacks. Many thanks to Clement Lecigne for tracking this issue.
This old bug became visible after the blamed commit, using UDP sockets.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 20.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws-5.15 | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws-6.5 | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-azure | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-azure | < any | UNKNOWN |
git.kernel.org/linus/92f1655aa2b2294d0b49925f3b875a634bd3b59e (6.10-rc2)
git.kernel.org/stable/c/92f1655aa2b2294d0b49925f3b875a634bd3b59e
launchpad.net/bugs/cve/CVE-2024-36971
nvd.nist.gov/vuln/detail/CVE-2024-36971
security-tracker.debian.org/tracker/CVE-2024-36971
www.cve.org/CVERecord?id=CVE-2024-36971