Linux Kernel: Linux kernel race condition (CVE-2024-36971) #shorts #breaking
CVE
This security vulnerability pertains to a race condition in the Linux kernel, specifically in the __dst_negative_advice() function. The issue, which is four months old and is currently a zero-day, affects the Linux Kernel. Android users are primarily at risk. The vulnerability arises because __dst_negative_advice() fails to follow proper Read-Copy Update (RCU) rules, leading to a 'use-after-free' scenario when sk->dst_cache is improperly cleared. The incorrect sequence allows attackers to exploit the system, potentially resulting in unauthorized actions. Special thanks to Clement Lecigne for identifying this issue, which becomes prominent with the use of UDP sockets.
Watch the full video on YouTube: CVE-2024-36971
Remediation and exploitation details
This chain involves the following actors
This following systems are involved
Attack entry point
Remediation actions
Exploitation actions
Related Content
NOTE: The following related content has not been vetted and may be unsafe.
- https://git.kernel.org/stable/c/051c0bde9f0450a2ec3d62a86d2a0d2fad117f13
- https://git.kernel.org/stable/c/db0082825037794c5dba9959c9de13ca34cc5e72
- https://git.kernel.org/stable/c/2295a7ef5c8c49241bff769e7826ef2582e532a6
- https://git.kernel.org/stable/c/eacb8b195579c174a6d3e12a9690b206eb7f28cf
- https://git.kernel.org/stable/c/81dd3c82a456b0015461754be7cb2693991421b4
- https://git.kernel.org/stable/c/5af198c387128a9d2ddd620b0f0803564a4d4508
- https://git.kernel.org/stable/c/b8af8e6118a6605f0e495a58d591ca94a85a50fc
- https://git.kernel.org/stable/c/92f1655aa2b2294d0b49925f3b875a634bd3b59e
CVE database technical details
CVE ID
CVE-2024-36971
Description
In the Linux kernel, the following vulnerability has been resolved:
net: fix __dst_negative_advice() race
__dst_negative_advice() does not enforce proper RCU rules when
sk->dst_cache must be cleared, leading to possible UAF.
RCU rules are that we must first clear sk->sk_dst_cache,
then call dst_release(old_dst).
Note that sk_dst_reset(sk) is implementing this protocol correctly,
while __dst_negative_advice() uses the wrong order.
Given that ip6_negative_advice() has special logic
against RTF_CACHE, this means each of the three ->negative_advice()
existing methods must perform the sk_dst_reset() themselves.
Note the check against NULL dst is centralized in
__dst_negative_advice(), there is no need to duplicate
it in various callbacks.
Many thanks to Clement Lecigne for tracking this issue.
This old bug became visible after the blamed commit, using UDP sockets.
Provider
Linux
CWE / problem types
Affected Software Versions
Linux:Linux:[{'version': 'a87cb3e48ee86d29868d3f59cfb9ce1a8fa63314', 'lessThan': '051c0bde9f0450a2ec3d62a86d2a0d2fad117f13', 'status': 'affected', 'versionType': 'git'}, {'version': 'a87cb3e48ee86d29868d3f59cfb9ce1a8fa63314', 'lessThan': 'db0082825037794c5dba9959c9de13ca34cc5e72', 'status': 'affected', 'versionType': 'git'}, {'version': 'a87cb3e48ee86d29868d3f59cfb9ce1a8fa63314', 'lessThan': '2295a7ef5c8c49241bff769e7826ef2582e532a6', 'status': 'affected', 'versionType': 'git'}, {'version': 'a87cb3e48ee86d29868d3f59cfb9ce1a8fa63314', 'lessThan': 'eacb8b195579c174a6d3e12a9690b206eb7f28cf', 'status': 'affected', 'versionType': 'git'}, {'version': 'a87cb3e48ee86d29868d3f59cfb9ce1a8fa63314', 'lessThan': '81dd3c82a456b0015461754be7cb2693991421b4', 'status': 'affected', 'versionType': 'git'}, {'version': 'a87cb3e48ee86d29868d3f59cfb9ce1a8fa63314', 'lessThan': '5af198c387128a9d2ddd620b0f0803564a4d4508', 'status': 'affected', 'versionType': 'git'}, {'version': 'a87cb3e48ee86d29868d3f59cfb9ce1a8fa63314', 'lessThan': 'b8af8e6118a6605f0e495a58d591ca94a85a50fc', 'status': 'affected', 'versionType': 'git'}, {'version': 'a87cb3e48ee86d29868d3f59cfb9ce1a8fa63314', 'lessThan': '92f1655aa2b2294d0b49925f3b875a634bd3b59e', 'status': 'affected', 'versionType': 'git'}],Linux:Linux:[{'version': '4.6', 'status': 'affected'}, {'version': '0', 'lessThan': '4.6', 'status': 'unaffected', 'versionType': 'semver'}, {'version': '4.19.316', 'lessThanOrEqual': '4.19.*', 'status': 'unaffected', 'versionType': 'semver'}, {'version': '5.4.278', 'lessThanOrEqual': '5.4.*', 'status': 'unaffected', 'versionType': 'semver'}, {'version': '5.10.219', 'lessThanOrEqual': '5.10.*', 'status': 'unaffected', 'versionType': 'semver'}, {'version': '5.15.161', 'lessThanOrEqual': '5.15.*', 'status': 'unaffected', 'versionType': 'semver'}, {'version': '6.1.94', 'lessThanOrEqual': '6.1.*', 'status': 'unaffected', 'versionType': 'semver'}, {'version': '6.6.34', 'lessThanOrEqual': '6.6.*', 'status': 'unaffected', 'versionType': 'semver'}, {'version': '6.9.4', 'lessThanOrEqual': '6.9.*', 'status': 'unaffected', 'versionType': 'semver'}, {'version': '6.10', 'lessThanOrEqual': '*', 'status': 'unaffected', 'versionType': 'original_commit_for_fix'}]
Date Published
2024-06-10T09:03:23.878Z
Last Updated
2025-05-04T09:13:06.632Z