Cyber Resilience

CVE-2024-36971

HighCISA KEVActive ExploitationEUVD Exploited

Published: 10 June 2024

Published
10 June 2024
Modified
05 November 2025
KEV Added
07 August 2024
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0045 64.0th percentile
Risk Priority 36 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-36971 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 36.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is a use-after-free flaw (CWE-416) in the Linux kernel networking stack, specifically in the __dst_negative_advice() function responsible for handling route cache negative advice. It stems from incorrect RCU ordering when clearing sk->sk_dst_cache: the code performed dst_release before the cache pointer was reset, violating the required sequence that sk_dst_reset() implements correctly. The issue affects multiple negative_advice callbacks for IPv4, IPv6, and other protocols, became observable after a prior commit when used with UDP sockets, and carries a CVSS score of 7.8.

A local attacker with low privileges can trigger the race on affected kernels, potentially leading to arbitrary code execution or memory corruption with high impact on confidentiality, integrity, and availability. Exploitation requires the ability to interact with the socket layer in a way that invokes the negative advice path, after which the freed dst entry may be dereferenced.

The referenced stable kernel commits (including 051c0bde9f04, 2295a7ef5c8c, and related fixes) centralize the NULL check in __dst_negative_advice() and require each protocol-specific callback to call sk_dst_reset() itself to enforce correct RCU ordering before release.

The current EPSS of 0.0045 indicates low observed exploitation interest.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: net: fix __dst_negative_advice() race __dst_negative_advice() does not enforce proper RCU rules when sk->dst_cache must be cleared, leading to possible UAF. RCU rules are that we must first clear sk->sk_dst_cache, then…

more

call dst_release(old_dst). Note that sk_dst_reset(sk) is implementing this protocol correctly, while __dst_negative_advice() uses the wrong order. Given that ip6_negative_advice() has special logic against RTF_CACHE, this means each of the three ->negative_advice() existing methods must perform the sk_dst_reset() themselves. Note the check against NULL dst is centralized in __dst_negative_advice(), there is no need to duplicate it in various callbacks. Many thanks to Clement Lecigne for tracking this issue. This old bug became visible after the blamed commit, using UDP sockets.

CWE(s)
KEV Date Added
07 August 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

debian
debian linux
10.0
linux
linux kernel
4.6 — 4.19.316 · 4.20 — 5.4.278 · 5.5 — 5.10.219

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the upstream patches (051c0bde9f04 et al.) that enforce correct RCU ordering via sk_dst_reset() inside each negative_advice() callback, eliminating the UAF root cause.

prevent

Implements memory-protection mechanisms that block the use-after-free of dst_cache objects that __dst_negative_advice() releases in the wrong order.

prevent

Process isolation limits the blast radius of the local UAF triggered via UDP sockets, preventing arbitrary code execution from escaping the affected networking stack context.

References