CVE-2024-36971

Advisory lineage Upstream: 0 Downstream: 82

Downstream

DEBIAN-CVE-2024-36971 DLA-3840-1 DSA-5730-1 RHSA-2024:5101 RHSA-2024:5102 RHSA-2024:5255

Analyzed

Published: 10 Jun 2024, 09:03

Last modified:11 May 2026, 20:18

Vulnerability Summary

Overall Risk (default)

medium

31/100

CVSS Score

7.8 HIGH

v3.1 (cve.org)

EPSS Score

0.45% LOW

0% probability -0.05%

KEV

Listed

CISA

1 listing

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

10 Jun 2024, 09:03

Published

Vulnerability first disclosed

07 Aug 2024, 00:00

Added to CISA KEV

Android Kernel Remote Code Execution Vulnerability

28 Aug 2024, 00:00

CISA Remediation Due

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

11 May 2026, 20:18

Last Modified

Vulnerability information updated

Description

In the Linux kernel, the following vulnerability has been resolved: net: fix __dst_negative_advice() race __dst_negative_advice() does not enforce proper RCU rules when sk->dst_cache must be cleared, leading to possible UAF. RCU rules are that we must first clear sk->sk_dst_cache, then call dst_release(old_dst). Note that sk_dst_reset(sk) is implementing this protocol correctly, while __dst_negative_advice() uses the wrong order. Given that ip6_negative_advice() has special logic against RTF_CACHE, this means each of the three ->negative_advice() existing methods must perform the sk_dst_reset() themselves. Note the check against NULL dst is centralized in __dst_negative_advice(), there is no need to duplicate it in various callbacks. Many thanks to Clement Lecigne for tracking this issue. This old bug became visible after the blamed commit, using UDP sockets.

CVSS Metrics

v3.1•HIGH•Score: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 0.45%• Percentile: 64%

Techniques & Countermeasures

CWE-416•Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Affected Systems

debian•debian_linux
10.0
linux•linux
≥ a87cb3e48ee86d29868d3f59cfb9ce1a8fa63314, < 051c0bde9f0450a2ec3d62a86d2a0d2fad117f13 | ≥ a87cb3e48ee86d29868d3f59cfb9ce1a8fa63314, < db0082825037794c5dba9959c9de13ca34cc5e72 | ≥ a87cb3e48ee86d29868d3f59cfb9ce1a8fa63314, < 2295a7ef5c8c49241bff769e7826ef2582e532a6 | ≥ a87cb3e48ee86d29868d3f59cfb9ce1a8fa63314, < eacb8b195579c174a6d3e12a9690b206eb7f28cf | ≥ a87cb3e48ee86d29868d3f59cfb9ce1a8fa63314, < 81dd3c82a456b0015461754be7cb2693991421b4 | ≥ a87cb3e48ee86d29868d3f59cfb9ce1a8fa63314, < 5af198c387128a9d2ddd620b0f0803564a4d4508 | ≥ a87cb3e48ee86d29868d3f59cfb9ce1a8fa63314, < b8af8e6118a6605f0e495a58d591ca94a85a50fc | ≥ a87cb3e48ee86d29868d3f59cfb9ce1a8fa63314, < 92f1655aa2b2294d0b49925f3b875a634bd3b59e | 4.6
linux•linux_kernel
≥ 4.6, < 4.19.316 | ≥ 4.20, < 5.4.278 | ≥ 5.5, < 5.10.219 | ≥ 5.11, < 5.15.161 | ≥ 5.16, < 6.1.94 | ≥ 6.2, < 6.6.34 | ≥ 6.7, < 6.9.4