CVE-2024-36286: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu() syzbot reported that nf_reinject() could be called without rcu_read_lock() : WARNING: suspicious RCU usage 6.9.0-rc7-syzkaller-02060-g5c1672705a1a #0 Not tainted net/netfilter/nfnetlink_queue.c:263 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 2 locks held by syz-executor.4/13427: #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline] #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_do_batch kernel/rcu/tree.c:2190 [inline] #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_core+0xa86/0x1830 kernel/rcu/tree.c:2471 #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline] #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: nfqnl_flush net/netfilter/nfnetlink_queue.c:405 [inline] #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: instance_destroy_rcu+0x30/0x220 net/netfilter/nfnetlink_queue.c:172 stack backtrace: CPU: 0 PID: 13427 Comm: syz-executor.4 Not tainted 6.9.0-rc7-syzkaller-02060-g5c1672705a1a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712 nf_reinject net/netfilter/nfnetlink_queue.c:323 [inline] nfqnl_reinject+0x6ec/0x1120 net/netfilter/nfnetlink_queue.c:397 nfqnl_flush net/netfilter/nfnetlink_queue.c:410 [inline] instance_destroy_rcu+0x1ae/0x220 net/netfilter/nfnetlink_queue.c:172 rcu_do_batch kernel/rcu/tree.c:2196 [inline] rcu_core+0xafd/0x1830 kernel/rcu/tree.c:2471 handle_softirqs+0x2d6/0x990 kernel/softirq.c:554 __do_softirq kernel/softirq.c:588 [inline] invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637 irq_exit_rcu+0x9/0x30 kernel/softirq.c:649 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043 </IRQ> <TASK>
AI Analysis
Technical Summary
CVE-2024-36286 is a recently disclosed vulnerability in the Linux kernel's netfilter subsystem, specifically within the nfnetlink_queue component. The vulnerability arises from improper usage of Read-Copy-Update (RCU) synchronization primitives. The nf_reinject() function can be called without holding the required rcu_read_lock(), leading to suspicious and potentially unsafe RCU dereference operations. This improper synchronization can cause race conditions or use-after-free scenarios when the instance_destroy_rcu() function is invoked, which is responsible for safely destroying nfnetlink_queue instances using RCU callbacks. The kernel logs and stack traces provided indicate that the issue was detected by syzbot, a kernel fuzzing tool, which observed suspicious RCU lock usage and multiple locks held simultaneously, highlighting a concurrency bug. The vulnerability affects multiple versions of the Linux kernel identified by commit hashes, and it was patched shortly after discovery. The netfilter nfnetlink_queue subsystem is used for packet queuing and reinjection, often leveraged by firewall and network monitoring tools. Improper locking in this subsystem could lead to kernel crashes or memory corruption, potentially allowing local attackers or malicious kernel modules to escalate privileges or cause denial of service. No known exploits are reported in the wild yet, and no CVSS score has been assigned as of the publication date.
Potential Impact
For European organizations, the impact of CVE-2024-36286 could be significant, especially for those relying heavily on Linux-based infrastructure for networking, firewalls, or security appliances that utilize netfilter's nfnetlink_queue functionality. Exploitation could lead to kernel panics or memory corruption, resulting in denial of service conditions that disrupt critical services. In worst-case scenarios, attackers with local access or the ability to load kernel modules could leverage this flaw to escalate privileges, compromising system integrity and confidentiality. This is particularly concerning for data centers, cloud providers, telecom operators, and enterprises running Linux-based network security solutions. Given the widespread use of Linux in European critical infrastructure and enterprise environments, unpatched systems could face operational disruptions and increased risk of targeted attacks. However, the lack of known exploits and the requirement for local or privileged access somewhat limit the immediate threat level. Still, the vulnerability demands prompt attention to prevent potential exploitation in sensitive environments.
Mitigation Recommendations
European organizations should prioritize applying the official Linux kernel patches that address this RCU synchronization issue in the nfnetlink_queue subsystem. Since the vulnerability involves kernel-level concurrency bugs, updating to the latest stable kernel versions containing the fix is the most effective mitigation. For environments where immediate patching is challenging, organizations should restrict local user access and limit the ability to load kernel modules to trusted administrators only. Monitoring kernel logs for suspicious RCU warnings or nfnetlink_queue related errors can help detect attempts to trigger the vulnerability. Network security appliances or firewalls using custom or older Linux kernels should be audited and updated accordingly. Additionally, organizations should implement strict access controls and employ kernel hardening techniques such as SELinux or AppArmor to reduce the attack surface. Regular vulnerability scanning and integration of kernel security updates into patch management workflows will further mitigate risks associated with this and similar kernel vulnerabilities.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-36286: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu() syzbot reported that nf_reinject() could be called without rcu_read_lock() : WARNING: suspicious RCU usage 6.9.0-rc7-syzkaller-02060-g5c1672705a1a #0 Not tainted net/netfilter/nfnetlink_queue.c:263 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 2 locks held by syz-executor.4/13427: #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline] #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_do_batch kernel/rcu/tree.c:2190 [inline] #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_core+0xa86/0x1830 kernel/rcu/tree.c:2471 #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline] #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: nfqnl_flush net/netfilter/nfnetlink_queue.c:405 [inline] #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: instance_destroy_rcu+0x30/0x220 net/netfilter/nfnetlink_queue.c:172 stack backtrace: CPU: 0 PID: 13427 Comm: syz-executor.4 Not tainted 6.9.0-rc7-syzkaller-02060-g5c1672705a1a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712 nf_reinject net/netfilter/nfnetlink_queue.c:323 [inline] nfqnl_reinject+0x6ec/0x1120 net/netfilter/nfnetlink_queue.c:397 nfqnl_flush net/netfilter/nfnetlink_queue.c:410 [inline] instance_destroy_rcu+0x1ae/0x220 net/netfilter/nfnetlink_queue.c:172 rcu_do_batch kernel/rcu/tree.c:2196 [inline] rcu_core+0xafd/0x1830 kernel/rcu/tree.c:2471 handle_softirqs+0x2d6/0x990 kernel/softirq.c:554 __do_softirq kernel/softirq.c:588 [inline] invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637 irq_exit_rcu+0x9/0x30 kernel/softirq.c:649 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043 </IRQ> <TASK>
AI-Powered Analysis
Technical Analysis
CVE-2024-36286 is a recently disclosed vulnerability in the Linux kernel's netfilter subsystem, specifically within the nfnetlink_queue component. The vulnerability arises from improper usage of Read-Copy-Update (RCU) synchronization primitives. The nf_reinject() function can be called without holding the required rcu_read_lock(), leading to suspicious and potentially unsafe RCU dereference operations. This improper synchronization can cause race conditions or use-after-free scenarios when the instance_destroy_rcu() function is invoked, which is responsible for safely destroying nfnetlink_queue instances using RCU callbacks. The kernel logs and stack traces provided indicate that the issue was detected by syzbot, a kernel fuzzing tool, which observed suspicious RCU lock usage and multiple locks held simultaneously, highlighting a concurrency bug. The vulnerability affects multiple versions of the Linux kernel identified by commit hashes, and it was patched shortly after discovery. The netfilter nfnetlink_queue subsystem is used for packet queuing and reinjection, often leveraged by firewall and network monitoring tools. Improper locking in this subsystem could lead to kernel crashes or memory corruption, potentially allowing local attackers or malicious kernel modules to escalate privileges or cause denial of service. No known exploits are reported in the wild yet, and no CVSS score has been assigned as of the publication date.
Potential Impact
For European organizations, the impact of CVE-2024-36286 could be significant, especially for those relying heavily on Linux-based infrastructure for networking, firewalls, or security appliances that utilize netfilter's nfnetlink_queue functionality. Exploitation could lead to kernel panics or memory corruption, resulting in denial of service conditions that disrupt critical services. In worst-case scenarios, attackers with local access or the ability to load kernel modules could leverage this flaw to escalate privileges, compromising system integrity and confidentiality. This is particularly concerning for data centers, cloud providers, telecom operators, and enterprises running Linux-based network security solutions. Given the widespread use of Linux in European critical infrastructure and enterprise environments, unpatched systems could face operational disruptions and increased risk of targeted attacks. However, the lack of known exploits and the requirement for local or privileged access somewhat limit the immediate threat level. Still, the vulnerability demands prompt attention to prevent potential exploitation in sensitive environments.
Mitigation Recommendations
European organizations should prioritize applying the official Linux kernel patches that address this RCU synchronization issue in the nfnetlink_queue subsystem. Since the vulnerability involves kernel-level concurrency bugs, updating to the latest stable kernel versions containing the fix is the most effective mitigation. For environments where immediate patching is challenging, organizations should restrict local user access and limit the ability to load kernel modules to trusted administrators only. Monitoring kernel logs for suspicious RCU warnings or nfnetlink_queue related errors can help detect attempts to trigger the vulnerability. Network security appliances or firewalls using custom or older Linux kernels should be audited and updated accordingly. Additionally, organizations should implement strict access controls and employ kernel hardening techniques such as SELinux or AppArmor to reduce the attack surface. Regular vulnerability scanning and integration of kernel security updates into patch management workflows will further mitigate risks associated with this and similar kernel vulnerabilities.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-06-21T10:13:16.315Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9828c4522896dcbe2546
Added to database: 5/21/2025, 9:08:56 AM
Last enriched: 6/29/2025, 9:39:58 AM
Last updated: 7/29/2025, 1:37:30 AM
Views: 10
Related Threats
CVE-2025-8983: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-8982: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-8981: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-50862: n/a
MediumCVE-2025-50861: n/a
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.