Login Sign Up

CVE-2024-36761

9.8 CRITICAL
Remote Code Execution Denial of Service

📋 TL;DR

CVE-2024-36761 is a critical stack overflow vulnerability in naga v0.14.0's WGSL parser that allows attackers to execute arbitrary code or cause denial of service. This affects any application using the vulnerable naga library for WebGPU Shading Language processing. The high CVSS score of 9.8 indicates this is easily exploitable and can lead to complete system compromise.

💻 Affected Systems

Products:
  • naga
Versions: v0.14.0
Operating Systems: All platforms running naga
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using naga v0.14.0 for WGSL parsing is vulnerable when processing malicious shader code.

📦 What is this software?

Naga by Gfx Rs

View all CVEs affecting Naga →

Wgpu by Gfx Rs

View all CVEs affecting Wgpu →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system takeover, data exfiltration, or ransomware deployment.

🟠

Likely Case

Application crash or denial of service, potentially allowing privilege escalation in multi-user environments.

🟢

If Mitigated

Limited to denial of service if memory protections are enabled, but still significant availability impact.

🌐 Internet-Facing: HIGH - Applications processing untrusted WGSL shaders from external sources are directly vulnerable.
🏢 Internal Only: MEDIUM - Internal applications may still be vulnerable if they process user-generated or untrusted shader code.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability is in the parser component and can be triggered by specially crafted WGSL shader code without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v0.14.1 or later

Vendor Advisory: https://github.com/gfx-rs/naga/issues/2591

Restart Required: Yes

Instructions:

1. Update naga dependency to v0.14.1 or later. 2. Rebuild and redeploy affected applications. 3. Restart services using the updated library.

🔧 Temporary Workarounds

Input Validation

all

Implement strict validation of WGSL shader inputs before passing to naga parser

Memory Limit Enforcement

linux

Use operating system controls to limit stack size for processes using naga

ulimit -s 8192 # Linux example to limit stack to 8MB

🧯 If You Can't Patch

  • Isolate naga processing to dedicated containers with minimal privileges
  • Implement network segmentation to limit exposure of vulnerable services

🔍 How to Verify

Check if Vulnerable:

Check if naga v0.14.0 is in your dependency tree: cargo tree | grep naga

Check Version:

cargo list | grep naga

Verify Fix Applied:

Verify naga version is v0.14.1 or later: cargo list | grep naga

📡 Detection & Monitoring

Log Indicators:

  • Segmentation fault errors
  • Stack overflow exceptions
  • Abnormal process termination

Network Indicators:

  • Unusual WGSL shader submissions
  • Large payloads to shader processing endpoints

SIEM Query:

process.name:naga AND (event.type:crash OR error.message:"stack overflow")

📊 Metadata

CVE ID: CVE-2024-36761
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: June 12, 2024
Last Updated: May 23, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36761, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)