CVE-2024-36900 – A race condition vulnerability in the Linux ker... (How to Fix)

Q: What is the severity of CVE-2024-36900?

CVE-2024-36900 has a CVSS score of 5.5 (MEDIUM). A race condition vulnerability in the Linux kernel's HNS3 network driver allows kernel crashes when devlink reload operations occur during hardware initialization. This affects systems using Huawei HNS3 network hardware with vulnerable kernel versions. The vulnerability can cause denial of service but does not allow privilege escalation or remote code execution.

📋 TL;DR

A race condition vulnerability in the Linux kernel's HNS3 network driver allows kernel crashes when devlink reload operations occur during hardware initialization. This affects systems using Huawei HNS3 network hardware with vulnerable kernel versions. The vulnerability can cause denial of service but does not allow privilege escalation or remote code execution.

💻 Affected Systems

Products:

Linux kernel with HNS3 network driver

Versions: Specific kernel versions containing the vulnerable code (exact versions would need to be determined from git commits)

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with Huawei HNS3 network hardware. The vulnerability is triggered by timing conditions during devlink reload operations.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash and complete denial of service, requiring physical or remote console access to reboot the system.

🟠

Likely Case

System crash during network interface initialization or configuration changes, causing temporary service disruption until system reboot.

🟢

If Mitigated

No impact if patched or if devlink reload operations are avoided during system initialization.

🌐 Internet-Facing: LOW - This vulnerability requires local access to trigger devlink reload operations and affects kernel initialization timing.

🏢 Internal Only: MEDIUM - Internal administrators or automated tools performing network configuration changes could trigger the crash during system maintenance windows.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and precise timing to trigger devlink reload during hardware initialization. This is a race condition rather than a direct code execution vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions containing commits 35d92abfbad88cf947c010baf34b075e40566095 or related fixes

Vendor Advisory: https://git.kernel.org/stable/c/35d92abfbad88cf947c010baf34b075e40566095

Restart Required: Yes

Instructions:

1. Update to a patched kernel version from your distribution vendor. 2. Reboot the system to load the new kernel. 3. Verify the fix by checking kernel version and ensuring devlink operations work correctly.

🔧 Temporary Workarounds

Avoid devlink reload during initialization

linux

Prevent triggering the race condition by avoiding devlink reload operations during system boot or hardware initialization phases.

# Monitor system logs for initialization completion
# Only perform 'devlink dev reload' after system is fully booted

🧯 If You Can't Patch

Avoid using devlink reload operations on systems with HNS3 hardware
Implement monitoring to detect and alert on system crashes during initialization periods

🔍 How to Verify

Check if Vulnerable:

Check if system uses HNS3 hardware and vulnerable kernel version: 'lspci | grep -i hns3' and 'uname -r'

Check Version:

uname -r

Verify Fix Applied:

Check kernel version includes the fix commit: 'grep -r "35d92abfbad88cf947c010baf34b075e40566095" /boot/System.map*' or verify with distribution patch notes

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages in /var/log/messages or dmesg
System crash during network interface initialization
Devlink operation failures

Network Indicators:

Sudden loss of network connectivity on HNS3 interfaces
Interface initialization failures

SIEM Query:

source="kernel" AND ("panic" OR "Oops" OR "BUG") AND ("hns3" OR "devlink")

📊 Metadata

CVE ID: CVE-2024-36900

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-908

Published: May 30, 2024

Last Updated: September 30, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36900, you might also want to check these: