CVE-2024-36971
Published: 10 June 2024
Summary
CVE-2024-36971 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 36.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is a use-after-free flaw (CWE-416) in the Linux kernel networking stack, specifically in the __dst_negative_advice() function responsible for handling route cache negative advice. It stems from incorrect RCU ordering when clearing sk->sk_dst_cache: the code performed dst_release before the cache pointer was reset, violating the required sequence that sk_dst_reset() implements correctly. The issue affects multiple negative_advice callbacks for IPv4, IPv6, and other protocols, became observable after a prior commit when used with UDP sockets, and carries a CVSS score of 7.8.
A local attacker with low privileges can trigger the race on affected kernels, potentially leading to arbitrary code execution or memory corruption with high impact on confidentiality, integrity, and availability. Exploitation requires the ability to interact with the socket layer in a way that invokes the negative advice path, after which the freed dst entry may be dereferenced.
The referenced stable kernel commits (including 051c0bde9f04, 2295a7ef5c8c, and related fixes) centralize the NULL check in __dst_negative_advice() and require each protocol-specific callback to call sk_dst_reset() itself to enforce correct RCU ordering before release.
The current EPSS of 0.0045 indicates low observed exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-36321
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: net: fix __dst_negative_advice() race __dst_negative_advice() does not enforce proper RCU rules when sk->dst_cache must be cleared, leading to possible UAF. RCU rules are that we must first clear sk->sk_dst_cache, then…
more
call dst_release(old_dst). Note that sk_dst_reset(sk) is implementing this protocol correctly, while __dst_negative_advice() uses the wrong order. Given that ip6_negative_advice() has special logic against RTF_CACHE, this means each of the three ->negative_advice() existing methods must perform the sk_dst_reset() themselves. Note the check against NULL dst is centralized in __dst_negative_advice(), there is no need to duplicate it in various callbacks. Many thanks to Clement Lecigne for tracking this issue. This old bug became visible after the blamed commit, using UDP sockets.
- CWE(s)
- KEV Date Added
- 07 August 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the upstream patches (051c0bde9f04 et al.) that enforce correct RCU ordering via sk_dst_reset() inside each negative_advice() callback, eliminating the UAF root cause.
Implements memory-protection mechanisms that block the use-after-free of dst_cache objects that __dst_negative_advice() releases in the wrong order.
Process isolation limits the blast radius of the local UAF triggered via UDP sockets, preventing arbitrary code execution from escaping the affected networking stack context.