CVE-2024-36620 – CVE-2024-36620 is a NULL pointer dereference vu... (How to Fix)

Q: What is the severity of CVE-2024-36620?

CVE-2024-36620 has a CVSS score of 6.5 (MEDIUM). CVE-2024-36620 is a NULL pointer dereference vulnerability in Moby (Docker's open-source engine) that can cause a denial of service by crashing the Docker daemon. This affects systems running Moby v25.0.0 through v26.0.2 when specific image history operations are performed. The vulnerability requires access to the Docker API or CLI.

📋 TL;DR

CVE-2024-36620 is a NULL pointer dereference vulnerability in Moby (Docker's open-source engine) that can cause a denial of service by crashing the Docker daemon. This affects systems running Moby v25.0.0 through v26.0.2 when specific image history operations are performed. The vulnerability requires access to the Docker API or CLI.

💻 Affected Systems

Products:

Moby (Docker Engine)

Versions: v25.0.0 through v26.0.2

Operating Systems: Linux, Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when performing specific image history operations via Docker API or CLI. Docker Desktop may bundle affected versions.

📦 What is this software?

Moby by Mobyproject

View all CVEs affecting Moby →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete Docker daemon crash leading to container downtime, loss of container state, and service disruption across all containers on the host.

🟠

Likely Case

Docker daemon crash requiring manual restart, causing temporary container downtime until daemon is restored.

🟢

If Mitigated

Minimal impact if proper access controls limit who can execute Docker commands and systems have automated recovery mechanisms.

🌐 Internet-Facing: MEDIUM - Requires Docker API exposure and authentication bypass or valid credentials to exploit remotely.

🏢 Internal Only: MEDIUM - Internal users with Docker access can cause denial of service, but requires specific image operations.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Simple API call triggers the vulnerability if access is available.

Exploitation requires access to Docker socket/API and knowledge of specific vulnerable operations. No public exploit code available at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v26.0.3 and later

Vendor Advisory: https://github.com/moby/moby/security/advisories/GHSA-xxxx-xxxx-xxxx

Restart Required: Yes

Instructions:

1. Stop all containers. 2. Backup important container data. 3. Upgrade Moby/Docker Engine to v26.0.3+. 4. Restart Docker daemon. 5. Verify version with 'docker version'.

🔧 Temporary Workarounds

Restrict Docker API Access

linux

Limit who can access Docker socket/API to prevent unauthorized users from triggering the vulnerability.

sudo chmod 660 /var/run/docker.sock
sudo chown root:docker /var/run/docker.sock

Disable Image History Operations

all

Block or monitor 'docker image history' and related API calls through network policies or monitoring.

🧯 If You Can't Patch

Implement strict access controls on Docker socket/API to limit who can execute Docker commands.
Monitor Docker daemon logs for crashes and implement automated restart mechanisms for high availability.

🔍 How to Verify

Check if Vulnerable:

Check Docker version: 'docker version' and verify if between v25.0.0 and v26.0.2 inclusive.

Check Version:

docker version --format '{{.Server.Version}}'

Verify Fix Applied:

After upgrade, run 'docker version' to confirm version is v26.0.3 or later.

📡 Detection & Monitoring

Log Indicators:

Docker daemon crash logs
Panic messages in system logs mentioning image_history.go
Unexpected Docker daemon restarts

Network Indicators:

HTTP requests to Docker API endpoints related to image history operations

SIEM Query:

source="docker" AND ("panic" OR "crash" OR "image_history")

📊 Metadata

CVE ID: CVE-2024-36620

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

Published: November 29, 2024

Last Updated: September 5, 2025

🔗 References

https://gist.github.com/1047524396/f08816669701ab478a265a811d2c89b2 Third Party Advisory
https://github.com/moby/moby/blob/v26.0.2/daemon/images/image_history.go#L48 Product
https://github.com/moby/moby/commit/ab570ab3d62038b3d26f96a9bb585d0b6095b9b4 Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36620, you might also want to check these: