KEVIntel

Vulnerability detail

Enriched intelligence for a single CVE

Back to KEVs

7.8

CVSS
High

CVE-2024-36971

PUBLISHED

net: fix __dst_negative_advice() race

Exploited in the wild Low complexity No user interaction

Vendor: Linux
Product: Linux
Published: Jun 10, 2024
EPSS: —

Description

In the Linux kernel, the following vulnerability has been resolved: net: fix __dst_negative_advice() race __dst_negative_advice() does not enforce proper RCU rules when sk->dst_cache must be cleared, leading to possible UAF. RCU rules are that we must first clear sk->sk_dst_cache, then call dst_release(old_dst). Note that sk_dst_reset(sk) is implementing this protocol correctly, while __dst_negative_advice() uses the wrong order. Given that ip6_negative_advice() has special logic against RTF_CACHE, this means each of the three ->negative_advice() existing methods must perform the sk_dst_reset() themselves. Note the check against NULL dst is centralized in __dst_negative_advice(), there is no need to duplicate it in various callbacks. Many thanks to Clement Lecigne for tracking this issue. This old bug became visible after the blamed commit, using UDP sockets.

windows linux cisa nessus_scanner

CVSS scores

CVSS v3.1 7.8 High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitation status

Exploited in the wild

Recorded 2024-08-07 00:00:00 UTC · Source

SSVC decision points

Exploitation: active
Automatable: No
Technical impact: total

References

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source	Added
CISA	Aug 07, 2024

Scanner integrations

Scanner	Reference	Detected
Nessus	https://www.tenable.com/plugins/nessus/215599	Jun 02, 2025

Timeline

CVE ID Reserved

May 30, 2024
CVE Published to Public

June 10, 2024
Added to KEVIntel

August 07, 2024
Detected by Nessus

June 02, 2025