CVE-2024-36971

CVE Details

Release Date:

2024-06-10

Description

In the Linux kernel, the following vulnerability has been resolved:\nnet: fix __dst_negative_advice() race\n__dst_negative_advice() does not enforce proper RCU rules when\nsk->dst_cache must be cleared, leading to possible UAF.\nRCU rules are that we must first clear sk->sk_dst_cache,\nthen call dst_release(old_dst).\nNote that sk_dst_reset(sk) is implementing this protocol correctly,\nwhile __dst_negative_advice() uses the wrong order.\nGiven that ip6_negative_advice() has special logic\nagainst RTF_CACHE, this means each of the three ->negative_advice()\nexisting methods must perform the sk_dst_reset() themselves.\nNote the check against NULL dst is centralized in\n__dst_negative_advice(), there is no need to duplicate\nit in various callbacks.\nMany thanks to Clement Lecigne for tracking this issue.\nThis old bug became visible after the blamed commit, using UDP sockets.

See more information about CVE-2024-36971 from MITRE CVE dictionary and NIST NVD

CVSS Scoring

NOTE: The following CVSS v3.1 metrics and score provided are preliminary and subject to review.

Base Score:	7	CVSS Vector:	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector:	Local network	Attack Complexity:	High
Privileges Required:	Low	User Interaction:	None
Scope:	Unchanged	Confidentiality Impact:	High
Integrity Impact:	High	Availability Impact:	High

Errata information

Platform	Errata	Release Date
Oracle Linux version 7 (kernel-uek)	ELSA-2024-12581	2024-08-12
Oracle Linux version 7 (kernel-uek-container)	ELSA-2024-12585	2024-08-12
Oracle Linux version 8 (kernel)	ELSA-2024-5101	2024-08-08
Oracle Linux version 8 (kernel-uek)	ELSA-2024-12581	2024-08-12
Oracle Linux version 8 (kernel-uek-container)	ELSA-2024-12584	2024-08-12
Oracle Linux version 9 (kernel)	ELSA-2024-5363	2024-08-14