Login Sign Up

CVE-2024-36918

5.5 MEDIUM
Denial of Service

📋 TL;DR

A missing size check in the Linux kernel's BPF bloom filter map implementation allows attackers to trigger integer overflows when creating maps with values above KMALLOC_MAX_SIZE. This can cause kernel crashes (denial of service) on affected systems. Any Linux system using BPF bloom filter maps with unpatched kernel versions is vulnerable.

💻 Affected Systems

Products:
  • Linux kernel
Versions: Versions before the fix commits (specific versions vary by distribution; check kernel commit history for affected releases)
Operating Systems: Linux distributions using vulnerable kernel versions
Default Config Vulnerable: ⚠️ Yes
Notes: Requires CAP_BPF or equivalent privileges to create BPF maps. Systems with BPF disabled or restricted via kernel lockdown are less vulnerable.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash and denial of service, potentially requiring physical or remote console access to restore functionality.

🟠

Likely Case

Local denial of service through kernel crash when malicious BPF programs attempt to create oversized bloom filter maps.

🟢

If Mitigated

Minimal impact with proper kernel hardening and BPF restrictions in place, as the vulnerability requires BPF map creation capabilities.

🌐 Internet-Facing: LOW - This vulnerability requires local access or ability to execute BPF programs, which typically isn't exposed to internet-facing services.
🏢 Internal Only: MEDIUM - Malicious local users or compromised accounts with BPF privileges could crash the kernel, affecting system availability.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW - Simple BPF program to trigger the overflow condition

Discovered by syzkaller fuzzer. Exploitation requires ability to load BPF programs, which typically requires elevated privileges or specific capabilities.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions containing commits 608e13706c8b6c658a0646f09ebced74ec367f7c and related fixes

Vendor Advisory: https://git.kernel.org/stable/c/608e13706c8b6c658a0646f09ebced74ec367f7c

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version from your distribution vendor. 2. Reboot system to load new kernel. 3. Verify kernel version matches patched release.

🔧 Temporary Workarounds

Restrict BPF capabilities

linux

Limit BPF program loading to trusted users only by restricting CAP_BPF and CAP_PERFMON capabilities

setcap -r cap_bpf,cap_perfmon /path/to/executable
sysctl -w kernel.unprivileged_bpf_disabled=1

Enable kernel lockdown

linux

Use kernel lockdown mode to prevent unauthorized modifications to the kernel

echo "kernel.lockdown=integrity" >> /etc/sysctl.conf
sysctl -p

🧯 If You Can't Patch

  • Restrict BPF map creation to minimal set of trusted users and processes
  • Implement monitoring for BPF map creation attempts and kernel panic events

🔍 How to Verify

Check if Vulnerable:

Check kernel version against distribution security advisories. Vulnerable if using kernel before fix commits and BPF is enabled.

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version includes fix commits: 'uname -r' and check with distribution vendor for patched versions.

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic messages in /var/log/kern.log or dmesg
  • BPF map creation failures or size errors

Network Indicators:

  • None - this is a local kernel vulnerability

SIEM Query:

source="kern.log" AND "kernel panic" OR "BPF" AND "map" AND "size"

📊 Metadata

CVE ID: CVE-2024-36918
CVSS v3 Score: 5.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-190
Published: May 30, 2024
Last Updated: September 17, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36918, you might also want to check these:

CVE-2025-64721 10.0

This vulnerability in Sandboxie allows sandboxed processes to exploit an integer overflow in the Sbi...

Same vulnerability type (CWE-190)
CVE-2025-52581 9.8

An integer overflow vulnerability in libbiosig's GDF file parsing allows arbitrary code execution wh...

Same vulnerability type (CWE-190)
CVE-2025-53518 9.8

An integer overflow vulnerability in libbiosig's ABF file parser allows arbitrary code execution whe...

Same vulnerability type (CWE-190)