PT-2024-1003 · Linux+5 · Linux Kernel+5
Billy Jheng Bing-Jhong
·
Published
2024-05-21
·
Updated
2025-08-16
·
CVE-2024-36972
CVSS v3.1
7.5
High
| Vector | AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Linux kernel versions 6.8 through 6.9
Linux kernel version 5.15.147
Linux kernel version 6.1.78
Linux kernel version 6.6.17
Description
The vulnerability is related to a race condition between the
unix gc() and queue oob() functions in the af unix module of the Linux kernel. This race condition can lead to a NULL pointer dereference, causing a kernel crash or potentially allowing an attacker to escalate privileges. The issue arises when the unix gc() function tries to garbage-collect closed inflight sockets and the peer socket sends an MSG OOB message, allowing queue oob() to update unix sk(sk)->oob skb concurrently.The vulnerability affects Linux kernel versions 6.8 through 6.9, 5.15.147, 6.1.78, and 6.6.17. It can be exploited to achieve local privilege escalation and potentially container escape.
Recommendations
To resolve the issue, update the
unix sk(sk)->oob skb under the sk receive queue lock and take it everywhere oob skb is touched. Additionally, defer kfree skb() in manage oob() to silence lockdep false-positive.For each affected version, the recommendation is to update to a newer version that includes the fix. Specifically:
- For versions 6.8 through 6.9, update to version 6.9 or later.
- For version 5.15.147, update to version 5.15.148 or later.
- For version 6.1.78, update to version 6.1.79 or later.
- For version 6.6.17, update to version 6.6.18 or later.
It is crucial to apply these updates to prevent potential exploitation of the vulnerability.
Exploit
Fix
LPE
Use After Free
NULL Pointer Dereference
Race Condition
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Astra Linux
Linuxmint
Linux Kernel
Red Os
Suse
Ubuntu