PT-2024-9113 · Moby+6 · Moby+6

Published

2024-11-29

Updated

2025-07-02

CVE-2024-36621

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions: moby version 25.0.5

Description: The issue is related to a race condition in the builder/builder-next/adapters/snapshot/layer.go file. This could be used to trigger concurrent builds that invoke the EnsureLayer function, resulting in resource leaks or exhaustion. The vulnerability may allow a remote attacker to cause a denial of service.

Recommendations: For moby version 25.0.5, consider disabling the EnsureLayer function as a temporary workaround to prevent concurrent builds from invoking it and causing resource leaks or exhaustion. Restrict access to the layer.go file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Race Condition

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-362

Related Identifiers

AZL-53810

AZL-53813

BDU:2024-10799

CVE-2024-36621

GHSA-2MJ3-VFVX-FC43

GO-2024-3304

OESA-2024-2507

OESA-2024-2525

OESA-2024-2526

OESA-2024-2527

OESA-2024-2528

OESA-2024-2529

OPENSUSE-SU-2024:14567-1

USN-7474-1

Affected Products

Astra Linux

Debian

Docker

Linuxmint

Red Os

Ubuntu

Moby

PT-2024-9113 · Moby+6 · Moby+6

CVE-2024-36621

Weakness Enumeration

Related Identifiers

Affected Products

References · 69