CVE-2024-36908

CVSS v3.1

7.1

High

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.37

Description A vulnerability in the Linux kernel has been resolved, related to the blk-iocost module. The issue occurs when the iocg pay debt() function triggers a warning if the active list is empty, which is intended to confirm that the iocg is active when it has debt. However, this warning can be triggered during a blkcg or disk removal, if iocg waitq timer fn() is run at that time. The warning in this situation is meaningless, as the state of the active list is irrelevant when the iocg is being removed. To avoid this warning, a check has been added to see if the iocg was already offlined when removing a blkcg or disk.

Recommendations Update to Linux kernel version 6.6.37 or later to resolve the issue.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

BDU:2025-07500

CVE-2024-36908

DLA-4178-1

DLA-4193-1

DSA-5907-1

ECHO-4BEB-0BD6-4115

MGASA-2024-0263

MGASA-2024-0266

OESA-2024-1706

OESA-2024-1707

OESA-2024-2076

OPENSUSE-SU-2025_0117-1

OPENSUSE-SU-2025_0153-1

OPENSUSE-SU-2025_0154-1

SUSE-SU-2025:0117-1

SUSE-SU-2025:0153-1

SUSE-SU-2025:0154-1

SUSE-SU-2025:0289-1

SUSE-SU-2025:20165-1

SUSE-SU-2025:20166-1

SUSE-SU-2025:20248-1

SUSE-SU-2025:20249-1

USN-6949-1

USN-6949-2

USN-6952-1

USN-6952-2

USN-6955-1

USN-7654-1

USN-7654-2

USN-7654-3

USN-7654-4

USN-7654-5

USN-7655-1

USN-7686-1

USN-7711-1

USN-7712-1

USN-7712-2

Affected Products

Astra Linux

Debian

Linuxmint

Linux Kernel

Red Os

Suse

Ubuntu

CVE-2024-36908

Weakness Enumeration

Related Identifiers

Affected Products

References · 2171