Login Sign Up

CVE-2024-36938

5.5 MEDIUM
Denial of Service

📋 TL;DR

A race condition vulnerability in the Linux kernel's BPF subsystem allows a NULL pointer dereference when processing socket messages. This can cause kernel crashes or denial of service. Systems running affected Linux kernel versions with BPF socket map functionality enabled are vulnerable.

💻 Affected Systems

Products:
  • Linux Kernel
Versions: Specific affected versions not explicitly stated, but appears to affect versions around 6.8.0 and earlier based on references
Operating Systems: Linux distributions using affected kernel versions
Default Config Vulnerable: ✅ No
Notes: Requires BPF socket map functionality to be enabled/used. Not all systems may have this configured.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash and denial of service, potentially requiring physical reboot.

🟠

Likely Case

System instability, kernel crashes, or denial of service affecting network functionality.

🟢

If Mitigated

Minor performance impact from proper locking implementation with no security impact.

🌐 Internet-Facing: MEDIUM - Requires local access or ability to trigger specific socket operations, but could be exploited through network services.
🏢 Internal Only: MEDIUM - Local users or processes could trigger the vulnerability to cause denial of service.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires race condition timing and specific socket operations. Discovered through syzkaller fuzzing.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Multiple stable kernel commits listed in references (e.g., 39dc9e1442385d6e9be0b6491ee488dddd55ae27)

Vendor Advisory: https://git.kernel.org/stable/c/39dc9e1442385d6e9be0b6491ee488dddd55ae27

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version from official kernel.org or distribution vendor. 2. Reboot system to load new kernel. 3. Verify kernel version matches patched release.

🔧 Temporary Workarounds

Disable BPF socket maps

linux

Disable or avoid using BPF socket map functionality if not required

echo 0 > /proc/sys/net/core/bpf_jit_enable
Remove BPF programs using socket maps

🧯 If You Can't Patch

  • Restrict BPF functionality to trusted users only
  • Implement strict process isolation and resource limits

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if BPF socket map functionality is enabled: uname -r and check for BPF socket map usage

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version matches patched release and test BPF socket map functionality

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic logs
  • NULL pointer dereference errors in kernel logs
  • System crash/reboot events

Network Indicators:

  • Sudden loss of socket connectivity
  • Abnormal BPF program termination

SIEM Query:

source="kernel" AND ("NULL pointer" OR "sk_psock" OR "KCSAN" OR "data-race")

📊 Metadata

CVE ID: CVE-2024-36938
CVSS v3 Score: 5.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-476
Published: May 30, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36938, you might also want to check these:

CVE-2022-36648 10.0

This CVE describes a vulnerability in QEMU's hardware emulation where a malformed program executed i...

Same vulnerability type (CWE-476)
CVE-2019-20914 9.8

This vulnerability in GNU LibreDWG is a NULL pointer dereference that can cause application crashes ...

Same vulnerability type (CWE-476)
CVE-2022-30592 9.8

This vulnerability in LiteSpeed QUIC (LSQUIC) before version 3.1.0 involves improper handling of MAX...

Same vulnerability type (CWE-476)