CVE-2024-36008: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ipv4: check for NULL idev in ip_route_use_hint() syzbot was able to trigger a NULL deref in fib_validate_source() in an old tree [1]. It appears the bug exists in latest trees. All calls to __in_dev_get_rcu() must be checked for a NULL result. [1] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 2 PID: 3257 Comm: syz-executor.3 Not tainted 5.10.0-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:fib_validate_source+0xbf/0x15a0 net/ipv4/fib_frontend.c:425 Code: 18 f2 f2 f2 f2 42 c7 44 20 23 f3 f3 f3 f3 48 89 44 24 78 42 c6 44 20 27 f3 e8 5d 88 48 fc 4c 89 e8 48 c1 e8 03 48 89 44 24 18 <42> 80 3c 20 00 74 08 4c 89 ef e8 d2 15 98 fc 48 89 5c 24 10 41 bf RSP: 0018:ffffc900015fee40 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff88800f7a4000 RCX: ffff88800f4f90c0 RDX: 0000000000000000 RSI: 0000000004001eac RDI: ffff8880160c64c0 RBP: ffffc900015ff060 R08: 0000000000000000 R09: ffff88800f7a4000 R10: 0000000000000002 R11: ffff88800f4f90c0 R12: dffffc0000000000 R13: 0000000000000000 R14: 0000000000000000 R15: ffff88800f7a4000 FS: 00007f938acfe6c0(0000) GS:ffff888058c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f938acddd58 CR3: 000000001248e000 CR4: 0000000000352ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ip_route_use_hint+0x410/0x9b0 net/ipv4/route.c:2231 ip_rcv_finish_core+0x2c4/0x1a30 net/ipv4/ip_input.c:327 ip_list_rcv_finish net/ipv4/ip_input.c:612 [inline] ip_sublist_rcv+0x3ed/0xe50 net/ipv4/ip_input.c:638 ip_list_rcv+0x422/0x470 net/ipv4/ip_input.c:673 __netif_receive_skb_list_ptype net/core/dev.c:5572 [inline] __netif_receive_skb_list_core+0x6b1/0x890 net/core/dev.c:5620 __netif_receive_skb_list net/core/dev.c:5672 [inline] netif_receive_skb_list_internal+0x9f9/0xdc0 net/core/dev.c:5764 netif_receive_skb_list+0x55/0x3e0 net/core/dev.c:5816 xdp_recv_frames net/bpf/test_run.c:257 [inline] xdp_test_run_batch net/bpf/test_run.c:335 [inline] bpf_test_run_xdp_live+0x1818/0x1d00 net/bpf/test_run.c:363 bpf_prog_test_run_xdp+0x81f/0x1170 net/bpf/test_run.c:1376 bpf_prog_test_run+0x349/0x3c0 kernel/bpf/syscall.c:3736 __sys_bpf+0x45c/0x710 kernel/bpf/syscall.c:5115 __do_sys_bpf kernel/bpf/syscall.c:5201 [inline] __se_sys_bpf kernel/bpf/syscall.c:5199 [inline] __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5199
AI Analysis
Technical Summary
CVE-2024-36008 is a vulnerability identified in the Linux kernel's IPv4 networking stack, specifically related to the function ip_route_use_hint() and the handling of network device pointers within the kernel's routing code. The root cause is a missing NULL pointer check after calls to __in_dev_get_rcu(), which can result in a NULL pointer dereference in the fib_validate_source() function. This bug was initially discovered by syzbot, an automated kernel fuzzer, which triggered a NULL dereference leading to a general protection fault and kernel crash. The vulnerability exists in recent Linux kernel trees and affects multiple versions identified by the commit hash 02b24941619fcce3d280311ac73b1e461552e9c8. The issue arises when the kernel attempts to validate source addresses for routing decisions but fails to verify that the network device pointer is non-NULL before dereferencing it. This can cause a kernel panic or system crash due to invalid memory access. The vulnerability is triggered during normal IPv4 packet processing, specifically when the kernel processes routing hints and source validation in the fib_frontend.c and route.c files. The stack trace shows the fault occurs deep within the network stack, affecting packet reception and routing functions. Although no known exploits are currently reported in the wild, the vulnerability could be leveraged by an attacker capable of sending crafted IPv4 packets to cause denial of service (DoS) by crashing the kernel. The issue does not appear to require privileged access or authentication, as it is triggered by network traffic processing. No CVSS score has been assigned yet, and no official patch links are provided, but the Linux kernel maintainers have acknowledged the problem and indicated that all calls to __in_dev_get_rcu() must be checked for NULL to prevent this issue.
Potential Impact
For European organizations, the impact of CVE-2024-36008 primarily involves potential denial of service conditions on Linux-based systems that handle IPv4 network traffic. Many European enterprises, government agencies, and critical infrastructure operators rely heavily on Linux servers and network devices. A successful exploitation could cause kernel crashes, leading to service interruptions in web servers, network appliances, cloud infrastructure, and embedded systems. This could disrupt business operations, degrade service availability, and impact critical services such as telecommunications, finance, and public administration. While the vulnerability does not directly lead to privilege escalation or remote code execution, the resulting instability and downtime could be exploited as part of a broader attack chain or cause significant operational disruption. Organizations with large-scale Linux deployments, especially those exposed to untrusted IPv4 traffic, are at higher risk. The absence of known exploits reduces immediate threat but does not eliminate the risk of future weaponization. The vulnerability also poses a risk to Linux-based IoT and industrial control systems prevalent in European manufacturing and energy sectors, where system stability is critical.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel versions to incorporate the fix once officially released by the Linux kernel maintainers. Until patches are available, network administrators should implement strict ingress filtering to block malformed or suspicious IPv4 packets that could trigger the vulnerability. Deploying network-level protections such as firewalls and intrusion prevention systems (IPS) configured to detect anomalous routing or packet patterns can reduce exposure. System administrators should monitor kernel logs for any signs of crashes or faults related to fib_validate_source or ip_route_use_hint functions. For critical systems, consider isolating vulnerable Linux hosts from untrusted networks or limiting IPv4 traffic to trusted sources. Organizations should also engage with their Linux distribution vendors to obtain backported patches or security advisories. In environments using containerization or virtualization, ensure host kernels are patched promptly and consider network segmentation to limit attack surface. Finally, maintain robust backup and recovery procedures to minimize downtime in case of exploitation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Belgium, Finland
CVE-2024-36008: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ipv4: check for NULL idev in ip_route_use_hint() syzbot was able to trigger a NULL deref in fib_validate_source() in an old tree [1]. It appears the bug exists in latest trees. All calls to __in_dev_get_rcu() must be checked for a NULL result. [1] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 2 PID: 3257 Comm: syz-executor.3 Not tainted 5.10.0-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:fib_validate_source+0xbf/0x15a0 net/ipv4/fib_frontend.c:425 Code: 18 f2 f2 f2 f2 42 c7 44 20 23 f3 f3 f3 f3 48 89 44 24 78 42 c6 44 20 27 f3 e8 5d 88 48 fc 4c 89 e8 48 c1 e8 03 48 89 44 24 18 <42> 80 3c 20 00 74 08 4c 89 ef e8 d2 15 98 fc 48 89 5c 24 10 41 bf RSP: 0018:ffffc900015fee40 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff88800f7a4000 RCX: ffff88800f4f90c0 RDX: 0000000000000000 RSI: 0000000004001eac RDI: ffff8880160c64c0 RBP: ffffc900015ff060 R08: 0000000000000000 R09: ffff88800f7a4000 R10: 0000000000000002 R11: ffff88800f4f90c0 R12: dffffc0000000000 R13: 0000000000000000 R14: 0000000000000000 R15: ffff88800f7a4000 FS: 00007f938acfe6c0(0000) GS:ffff888058c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f938acddd58 CR3: 000000001248e000 CR4: 0000000000352ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ip_route_use_hint+0x410/0x9b0 net/ipv4/route.c:2231 ip_rcv_finish_core+0x2c4/0x1a30 net/ipv4/ip_input.c:327 ip_list_rcv_finish net/ipv4/ip_input.c:612 [inline] ip_sublist_rcv+0x3ed/0xe50 net/ipv4/ip_input.c:638 ip_list_rcv+0x422/0x470 net/ipv4/ip_input.c:673 __netif_receive_skb_list_ptype net/core/dev.c:5572 [inline] __netif_receive_skb_list_core+0x6b1/0x890 net/core/dev.c:5620 __netif_receive_skb_list net/core/dev.c:5672 [inline] netif_receive_skb_list_internal+0x9f9/0xdc0 net/core/dev.c:5764 netif_receive_skb_list+0x55/0x3e0 net/core/dev.c:5816 xdp_recv_frames net/bpf/test_run.c:257 [inline] xdp_test_run_batch net/bpf/test_run.c:335 [inline] bpf_test_run_xdp_live+0x1818/0x1d00 net/bpf/test_run.c:363 bpf_prog_test_run_xdp+0x81f/0x1170 net/bpf/test_run.c:1376 bpf_prog_test_run+0x349/0x3c0 kernel/bpf/syscall.c:3736 __sys_bpf+0x45c/0x710 kernel/bpf/syscall.c:5115 __do_sys_bpf kernel/bpf/syscall.c:5201 [inline] __se_sys_bpf kernel/bpf/syscall.c:5199 [inline] __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5199
AI-Powered Analysis
Technical Analysis
CVE-2024-36008 is a vulnerability identified in the Linux kernel's IPv4 networking stack, specifically related to the function ip_route_use_hint() and the handling of network device pointers within the kernel's routing code. The root cause is a missing NULL pointer check after calls to __in_dev_get_rcu(), which can result in a NULL pointer dereference in the fib_validate_source() function. This bug was initially discovered by syzbot, an automated kernel fuzzer, which triggered a NULL dereference leading to a general protection fault and kernel crash. The vulnerability exists in recent Linux kernel trees and affects multiple versions identified by the commit hash 02b24941619fcce3d280311ac73b1e461552e9c8. The issue arises when the kernel attempts to validate source addresses for routing decisions but fails to verify that the network device pointer is non-NULL before dereferencing it. This can cause a kernel panic or system crash due to invalid memory access. The vulnerability is triggered during normal IPv4 packet processing, specifically when the kernel processes routing hints and source validation in the fib_frontend.c and route.c files. The stack trace shows the fault occurs deep within the network stack, affecting packet reception and routing functions. Although no known exploits are currently reported in the wild, the vulnerability could be leveraged by an attacker capable of sending crafted IPv4 packets to cause denial of service (DoS) by crashing the kernel. The issue does not appear to require privileged access or authentication, as it is triggered by network traffic processing. No CVSS score has been assigned yet, and no official patch links are provided, but the Linux kernel maintainers have acknowledged the problem and indicated that all calls to __in_dev_get_rcu() must be checked for NULL to prevent this issue.
Potential Impact
For European organizations, the impact of CVE-2024-36008 primarily involves potential denial of service conditions on Linux-based systems that handle IPv4 network traffic. Many European enterprises, government agencies, and critical infrastructure operators rely heavily on Linux servers and network devices. A successful exploitation could cause kernel crashes, leading to service interruptions in web servers, network appliances, cloud infrastructure, and embedded systems. This could disrupt business operations, degrade service availability, and impact critical services such as telecommunications, finance, and public administration. While the vulnerability does not directly lead to privilege escalation or remote code execution, the resulting instability and downtime could be exploited as part of a broader attack chain or cause significant operational disruption. Organizations with large-scale Linux deployments, especially those exposed to untrusted IPv4 traffic, are at higher risk. The absence of known exploits reduces immediate threat but does not eliminate the risk of future weaponization. The vulnerability also poses a risk to Linux-based IoT and industrial control systems prevalent in European manufacturing and energy sectors, where system stability is critical.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel versions to incorporate the fix once officially released by the Linux kernel maintainers. Until patches are available, network administrators should implement strict ingress filtering to block malformed or suspicious IPv4 packets that could trigger the vulnerability. Deploying network-level protections such as firewalls and intrusion prevention systems (IPS) configured to detect anomalous routing or packet patterns can reduce exposure. System administrators should monitor kernel logs for any signs of crashes or faults related to fib_validate_source or ip_route_use_hint functions. For critical systems, consider isolating vulnerable Linux hosts from untrusted networks or limiting IPv4 traffic to trusted sources. Organizations should also engage with their Linux distribution vendors to obtain backported patches or security advisories. In environments using containerization or virtualization, ensure host kernels are patched promptly and consider network segmentation to limit attack surface. Finally, maintain robust backup and recovery procedures to minimize downtime in case of exploitation.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-17T13:50:33.152Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9828c4522896dcbe2464
Added to database: 5/21/2025, 9:08:56 AM
Last enriched: 6/29/2025, 9:24:41 AM
Last updated: 8/3/2025, 6:56:35 PM
Views: 11
Related Threats
CVE-2025-5048: CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') in Autodesk AutoCAD
HighCVE-2025-5047: CWE-457: Use of Uninitialized Variable in Autodesk AutoCAD
HighCVE-2025-5046: CWE-125 Out-of-Bounds Read in Autodesk AutoCAD
HighCVE-2025-54466: CWE-94 Improper Control of Generation of Code ('Code Injection') in Apache Software Foundation Apache OFBiz
CriticalCVE-2025-9053: SQL Injection in projectworlds Travel Management System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.