CVE-2024-36003: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ice: fix LAG and VF lock dependency in ice_reset_vf() 9f74a3dfcf83 ("ice: Fix VF Reset paths when interface in a failed over aggregate"), the ice driver has acquired the LAG mutex in ice_reset_vf(). The commit placed this lock acquisition just prior to the acquisition of the VF configuration lock. If ice_reset_vf() acquires the configuration lock via the ICE_VF_RESET_LOCK flag, this could deadlock with ice_vc_cfg_qs_msg() because it always acquires the locks in the order of the VF configuration lock and then the LAG mutex. Lockdep reports this violation almost immediately on creating and then removing 2 VF: ====================================================== WARNING: possible circular locking dependency detected 6.8.0-rc6 #54 Tainted: G W O ------------------------------------------------------ kworker/60:3/6771 is trying to acquire lock: ff40d43e099380a0 (&vf->cfg_lock){+.+.}-{3:3}, at: ice_reset_vf+0x22f/0x4d0 [ice] but task is already holding lock: ff40d43ea1961210 (&pf->lag_mutex){+.+.}-{3:3}, at: ice_reset_vf+0xb7/0x4d0 [ice] which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&pf->lag_mutex){+.+.}-{3:3}: __lock_acquire+0x4f8/0xb40 lock_acquire+0xd4/0x2d0 __mutex_lock+0x9b/0xbf0 ice_vc_cfg_qs_msg+0x45/0x690 [ice] ice_vc_process_vf_msg+0x4f5/0x870 [ice] __ice_clean_ctrlq+0x2b5/0x600 [ice] ice_service_task+0x2c9/0x480 [ice] process_one_work+0x1e9/0x4d0 worker_thread+0x1e1/0x3d0 kthread+0x104/0x140 ret_from_fork+0x31/0x50 ret_from_fork_asm+0x1b/0x30 -> #0 (&vf->cfg_lock){+.+.}-{3:3}: check_prev_add+0xe2/0xc50 validate_chain+0x558/0x800 __lock_acquire+0x4f8/0xb40 lock_acquire+0xd4/0x2d0 __mutex_lock+0x9b/0xbf0 ice_reset_vf+0x22f/0x4d0 [ice] ice_process_vflr_event+0x98/0xd0 [ice] ice_service_task+0x1cc/0x480 [ice] process_one_work+0x1e9/0x4d0 worker_thread+0x1e1/0x3d0 kthread+0x104/0x140 ret_from_fork+0x31/0x50 ret_from_fork_asm+0x1b/0x30 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&pf->lag_mutex); lock(&vf->cfg_lock); lock(&pf->lag_mutex); lock(&vf->cfg_lock); *** DEADLOCK *** 4 locks held by kworker/60:3/6771: #0: ff40d43e05428b38 ((wq_completion)ice){+.+.}-{0:0}, at: process_one_work+0x176/0x4d0 #1: ff50d06e05197e58 ((work_completion)(&pf->serv_task)){+.+.}-{0:0}, at: process_one_work+0x176/0x4d0 #2: ff40d43ea1960e50 (&pf->vfs.table_lock){+.+.}-{3:3}, at: ice_process_vflr_event+0x48/0xd0 [ice] #3: ff40d43ea1961210 (&pf->lag_mutex){+.+.}-{3:3}, at: ice_reset_vf+0xb7/0x4d0 [ice] stack backtrace: CPU: 60 PID: 6771 Comm: kworker/60:3 Tainted: G W O 6.8.0-rc6 #54 Hardware name: Workqueue: ice ice_service_task [ice] Call Trace: <TASK> dump_stack_lvl+0x4a/0x80 check_noncircular+0x12d/0x150 check_prev_add+0xe2/0xc50 ? save_trace+0x59/0x230 ? add_chain_cache+0x109/0x450 validate_chain+0x558/0x800 __lock_acquire+0x4f8/0xb40 ? lockdep_hardirqs_on+0x7d/0x100 lock_acquire+0xd4/0x2d0 ? ice_reset_vf+0x22f/0x4d0 [ice] ? lock_is_held_type+0xc7/0x120 __mutex_lock+0x9b/0xbf0 ? ice_reset_vf+0x22f/0x4d0 [ice] ? ice_reset_vf+0x22f/0x4d0 [ice] ? rcu_is_watching+0x11/0x50 ? ice_reset_vf+0x22f/0x4d0 [ice] ice_reset_vf+0x22f/0x4d0 [ice] ? process_one_work+0x176/0x4d0 ice_process_vflr_event+0x98/0xd0 [ice] ice_service_task+0x1cc/0x480 [ice] process_one_work+0x1e9/0x4d0 worker_thread+0x1e1/0x3d0 ? __pfx_worker_thread+0x10/0x10 kthread+0x104/0x140 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> To avoid deadlock, we must acquire the LAG ---truncated---
AI Analysis
Technical Summary
CVE-2024-36003 is a concurrency vulnerability identified in the Linux kernel's ice network driver, which manages Intel Ethernet devices. The flaw arises from an unsafe locking order between two mutexes: the LAG (Link Aggregation Group) mutex and the VF (Virtual Function) configuration lock. Specifically, the function ice_reset_vf() acquires the LAG mutex before the VF configuration lock, whereas another function, ice_vc_cfg_qs_msg(), acquires these locks in the opposite order (VF configuration lock first, then LAG mutex). This inconsistent lock acquisition order creates a circular locking dependency that can lead to a deadlock scenario. The deadlock manifests when two CPUs or threads attempt to acquire these locks in reverse order simultaneously, causing both to wait indefinitely for the other to release a lock. The vulnerability was detected via lockdep warnings and confirmed through kernel stack traces showing the circular dependency and deadlock conditions. The issue affects specific Linux kernel versions containing the ice driver commits referenced (e.g., 9f74a3dfcf83). Although no known exploits are reported in the wild, the deadlock can cause system hangs or degraded network functionality, particularly in environments utilizing virtual functions and link aggregation features of Intel Ethernet hardware. The vulnerability is rooted in kernel-level synchronization logic, impacting the availability of network services relying on the ice driver. This is a classic concurrency bug rather than a memory corruption or privilege escalation flaw, but its impact on system stability and network availability can be significant in affected deployments.
Potential Impact
For European organizations, especially those operating data centers, cloud infrastructure, or enterprise networks using Linux servers with Intel Ethernet devices managed by the ice driver, this vulnerability poses a risk of system hangs or network outages. The deadlock can disrupt virtualized network functions, impacting services that rely on virtual functions (VFs) such as network slicing, multi-tenant isolation, or advanced network configurations using link aggregation. This could degrade availability of critical business applications, cloud services, or telecommunications infrastructure. Given the widespread use of Linux in European IT environments and the prevalence of Intel network adapters, the risk is non-trivial. Organizations in sectors like finance, telecommunications, healthcare, and government—where network reliability and uptime are paramount—may face operational disruptions if the vulnerability is triggered. Although exploitation requires specific conditions (use of VFs and LAG in the ice driver), the potential for deadlocks affecting kernel threads means that even routine network management operations could cause system instability. This could lead to increased downtime, incident response costs, and potential SLA violations. However, the vulnerability does not appear to expose confidentiality or integrity risks directly, focusing primarily on availability impact.
Mitigation Recommendations
To mitigate CVE-2024-36003, European organizations should: 1) Apply the official Linux kernel patches that reorder lock acquisitions to maintain a consistent locking hierarchy, preventing circular dependencies. Monitoring Linux kernel mailing lists and vendor advisories for updated ice driver patches is critical. 2) Where immediate patching is not feasible, consider disabling virtual functions (VFs) or link aggregation features on Intel Ethernet devices managed by the ice driver to avoid triggering the deadlock scenario. 3) Implement kernel lockdep monitoring in test environments to detect potential deadlocks during network configuration changes involving VFs and LAG. 4) Conduct controlled testing of network failover and VF reset operations to identify hangs or deadlocks before deploying changes in production. 5) Maintain updated Linux kernel versions from trusted vendors who have integrated the fix. 6) For critical infrastructure, consider network redundancy and failover strategies at higher layers to mitigate potential availability impacts from kernel-level deadlocks. 7) Engage with hardware and Linux distribution vendors to confirm the presence of fixes and recommended configurations. These steps go beyond generic advice by focusing on the specific locking order issue and operational practices around VFs and LAG in the ice driver context.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-36003: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ice: fix LAG and VF lock dependency in ice_reset_vf() 9f74a3dfcf83 ("ice: Fix VF Reset paths when interface in a failed over aggregate"), the ice driver has acquired the LAG mutex in ice_reset_vf(). The commit placed this lock acquisition just prior to the acquisition of the VF configuration lock. If ice_reset_vf() acquires the configuration lock via the ICE_VF_RESET_LOCK flag, this could deadlock with ice_vc_cfg_qs_msg() because it always acquires the locks in the order of the VF configuration lock and then the LAG mutex. Lockdep reports this violation almost immediately on creating and then removing 2 VF: ====================================================== WARNING: possible circular locking dependency detected 6.8.0-rc6 #54 Tainted: G W O ------------------------------------------------------ kworker/60:3/6771 is trying to acquire lock: ff40d43e099380a0 (&vf->cfg_lock){+.+.}-{3:3}, at: ice_reset_vf+0x22f/0x4d0 [ice] but task is already holding lock: ff40d43ea1961210 (&pf->lag_mutex){+.+.}-{3:3}, at: ice_reset_vf+0xb7/0x4d0 [ice] which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&pf->lag_mutex){+.+.}-{3:3}: __lock_acquire+0x4f8/0xb40 lock_acquire+0xd4/0x2d0 __mutex_lock+0x9b/0xbf0 ice_vc_cfg_qs_msg+0x45/0x690 [ice] ice_vc_process_vf_msg+0x4f5/0x870 [ice] __ice_clean_ctrlq+0x2b5/0x600 [ice] ice_service_task+0x2c9/0x480 [ice] process_one_work+0x1e9/0x4d0 worker_thread+0x1e1/0x3d0 kthread+0x104/0x140 ret_from_fork+0x31/0x50 ret_from_fork_asm+0x1b/0x30 -> #0 (&vf->cfg_lock){+.+.}-{3:3}: check_prev_add+0xe2/0xc50 validate_chain+0x558/0x800 __lock_acquire+0x4f8/0xb40 lock_acquire+0xd4/0x2d0 __mutex_lock+0x9b/0xbf0 ice_reset_vf+0x22f/0x4d0 [ice] ice_process_vflr_event+0x98/0xd0 [ice] ice_service_task+0x1cc/0x480 [ice] process_one_work+0x1e9/0x4d0 worker_thread+0x1e1/0x3d0 kthread+0x104/0x140 ret_from_fork+0x31/0x50 ret_from_fork_asm+0x1b/0x30 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&pf->lag_mutex); lock(&vf->cfg_lock); lock(&pf->lag_mutex); lock(&vf->cfg_lock); *** DEADLOCK *** 4 locks held by kworker/60:3/6771: #0: ff40d43e05428b38 ((wq_completion)ice){+.+.}-{0:0}, at: process_one_work+0x176/0x4d0 #1: ff50d06e05197e58 ((work_completion)(&pf->serv_task)){+.+.}-{0:0}, at: process_one_work+0x176/0x4d0 #2: ff40d43ea1960e50 (&pf->vfs.table_lock){+.+.}-{3:3}, at: ice_process_vflr_event+0x48/0xd0 [ice] #3: ff40d43ea1961210 (&pf->lag_mutex){+.+.}-{3:3}, at: ice_reset_vf+0xb7/0x4d0 [ice] stack backtrace: CPU: 60 PID: 6771 Comm: kworker/60:3 Tainted: G W O 6.8.0-rc6 #54 Hardware name: Workqueue: ice ice_service_task [ice] Call Trace: <TASK> dump_stack_lvl+0x4a/0x80 check_noncircular+0x12d/0x150 check_prev_add+0xe2/0xc50 ? save_trace+0x59/0x230 ? add_chain_cache+0x109/0x450 validate_chain+0x558/0x800 __lock_acquire+0x4f8/0xb40 ? lockdep_hardirqs_on+0x7d/0x100 lock_acquire+0xd4/0x2d0 ? ice_reset_vf+0x22f/0x4d0 [ice] ? lock_is_held_type+0xc7/0x120 __mutex_lock+0x9b/0xbf0 ? ice_reset_vf+0x22f/0x4d0 [ice] ? ice_reset_vf+0x22f/0x4d0 [ice] ? rcu_is_watching+0x11/0x50 ? ice_reset_vf+0x22f/0x4d0 [ice] ice_reset_vf+0x22f/0x4d0 [ice] ? process_one_work+0x176/0x4d0 ice_process_vflr_event+0x98/0xd0 [ice] ice_service_task+0x1cc/0x480 [ice] process_one_work+0x1e9/0x4d0 worker_thread+0x1e1/0x3d0 ? __pfx_worker_thread+0x10/0x10 kthread+0x104/0x140 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> To avoid deadlock, we must acquire the LAG ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-36003 is a concurrency vulnerability identified in the Linux kernel's ice network driver, which manages Intel Ethernet devices. The flaw arises from an unsafe locking order between two mutexes: the LAG (Link Aggregation Group) mutex and the VF (Virtual Function) configuration lock. Specifically, the function ice_reset_vf() acquires the LAG mutex before the VF configuration lock, whereas another function, ice_vc_cfg_qs_msg(), acquires these locks in the opposite order (VF configuration lock first, then LAG mutex). This inconsistent lock acquisition order creates a circular locking dependency that can lead to a deadlock scenario. The deadlock manifests when two CPUs or threads attempt to acquire these locks in reverse order simultaneously, causing both to wait indefinitely for the other to release a lock. The vulnerability was detected via lockdep warnings and confirmed through kernel stack traces showing the circular dependency and deadlock conditions. The issue affects specific Linux kernel versions containing the ice driver commits referenced (e.g., 9f74a3dfcf83). Although no known exploits are reported in the wild, the deadlock can cause system hangs or degraded network functionality, particularly in environments utilizing virtual functions and link aggregation features of Intel Ethernet hardware. The vulnerability is rooted in kernel-level synchronization logic, impacting the availability of network services relying on the ice driver. This is a classic concurrency bug rather than a memory corruption or privilege escalation flaw, but its impact on system stability and network availability can be significant in affected deployments.
Potential Impact
For European organizations, especially those operating data centers, cloud infrastructure, or enterprise networks using Linux servers with Intel Ethernet devices managed by the ice driver, this vulnerability poses a risk of system hangs or network outages. The deadlock can disrupt virtualized network functions, impacting services that rely on virtual functions (VFs) such as network slicing, multi-tenant isolation, or advanced network configurations using link aggregation. This could degrade availability of critical business applications, cloud services, or telecommunications infrastructure. Given the widespread use of Linux in European IT environments and the prevalence of Intel network adapters, the risk is non-trivial. Organizations in sectors like finance, telecommunications, healthcare, and government—where network reliability and uptime are paramount—may face operational disruptions if the vulnerability is triggered. Although exploitation requires specific conditions (use of VFs and LAG in the ice driver), the potential for deadlocks affecting kernel threads means that even routine network management operations could cause system instability. This could lead to increased downtime, incident response costs, and potential SLA violations. However, the vulnerability does not appear to expose confidentiality or integrity risks directly, focusing primarily on availability impact.
Mitigation Recommendations
To mitigate CVE-2024-36003, European organizations should: 1) Apply the official Linux kernel patches that reorder lock acquisitions to maintain a consistent locking hierarchy, preventing circular dependencies. Monitoring Linux kernel mailing lists and vendor advisories for updated ice driver patches is critical. 2) Where immediate patching is not feasible, consider disabling virtual functions (VFs) or link aggregation features on Intel Ethernet devices managed by the ice driver to avoid triggering the deadlock scenario. 3) Implement kernel lockdep monitoring in test environments to detect potential deadlocks during network configuration changes involving VFs and LAG. 4) Conduct controlled testing of network failover and VF reset operations to identify hangs or deadlocks before deploying changes in production. 5) Maintain updated Linux kernel versions from trusted vendors who have integrated the fix. 6) For critical infrastructure, consider network redundancy and failover strategies at higher layers to mitigate potential availability impacts from kernel-level deadlocks. 7) Engage with hardware and Linux distribution vendors to confirm the presence of fixes and recommended configurations. These steps go beyond generic advice by focusing on the specific locking order issue and operational practices around VFs and LAG in the ice driver context.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-17T13:50:33.150Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9828c4522896dcbe2437
Added to database: 5/21/2025, 9:08:56 AM
Last enriched: 6/29/2025, 9:11:51 AM
Last updated: 8/12/2025, 12:26:44 AM
Views: 11
Related Threats
CVE-2025-8947: SQL Injection in projectworlds Visitor Management System
MediumCVE-2025-8046: CWE-79 Cross-Site Scripting (XSS) in Injection Guard
MediumCVE-2025-7808: CWE-79 Cross-Site Scripting (XSS) in WP Shopify
HighCVE-2025-6790: CWE-352 Cross-Site Request Forgery (CSRF) in Quiz and Survey Master (QSM)
HighCVE-2025-3414: CWE-79 Cross-Site Scripting (XSS) in Structured Content (JSON-LD) #wpsc
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.