CVE-2024-36886: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: tipc: fix UAF in error path Sam Page (sam4k) working with Trend Micro Zero Day Initiative reported a UAF in the tipc_buf_append() error path: BUG: KASAN: slab-use-after-free in kfree_skb_list_reason+0x47e/0x4c0 linux/net/core/skbuff.c:1183 Read of size 8 at addr ffff88804d2a7c80 by task poc/8034 CPU: 1 PID: 8034 Comm: poc Not tainted 6.8.2 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 Call Trace: <IRQ> __dump_stack linux/lib/dump_stack.c:88 dump_stack_lvl+0xd9/0x1b0 linux/lib/dump_stack.c:106 print_address_description linux/mm/kasan/report.c:377 print_report+0xc4/0x620 linux/mm/kasan/report.c:488 kasan_report+0xda/0x110 linux/mm/kasan/report.c:601 kfree_skb_list_reason+0x47e/0x4c0 linux/net/core/skbuff.c:1183 skb_release_data+0x5af/0x880 linux/net/core/skbuff.c:1026 skb_release_all linux/net/core/skbuff.c:1094 __kfree_skb linux/net/core/skbuff.c:1108 kfree_skb_reason+0x12d/0x210 linux/net/core/skbuff.c:1144 kfree_skb linux/./include/linux/skbuff.h:1244 tipc_buf_append+0x425/0xb50 linux/net/tipc/msg.c:186 tipc_link_input+0x224/0x7c0 linux/net/tipc/link.c:1324 tipc_link_rcv+0x76e/0x2d70 linux/net/tipc/link.c:1824 tipc_rcv+0x45f/0x10f0 linux/net/tipc/node.c:2159 tipc_udp_recv+0x73b/0x8f0 linux/net/tipc/udp_media.c:390 udp_queue_rcv_one_skb+0xad2/0x1850 linux/net/ipv4/udp.c:2108 udp_queue_rcv_skb+0x131/0xb00 linux/net/ipv4/udp.c:2186 udp_unicast_rcv_skb+0x165/0x3b0 linux/net/ipv4/udp.c:2346 __udp4_lib_rcv+0x2594/0x3400 linux/net/ipv4/udp.c:2422 ip_protocol_deliver_rcu+0x30c/0x4e0 linux/net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x2e4/0x520 linux/net/ipv4/ip_input.c:233 NF_HOOK linux/./include/linux/netfilter.h:314 NF_HOOK linux/./include/linux/netfilter.h:308 ip_local_deliver+0x18e/0x1f0 linux/net/ipv4/ip_input.c:254 dst_input linux/./include/net/dst.h:461 ip_rcv_finish linux/net/ipv4/ip_input.c:449 NF_HOOK linux/./include/linux/netfilter.h:314 NF_HOOK linux/./include/linux/netfilter.h:308 ip_rcv+0x2c5/0x5d0 linux/net/ipv4/ip_input.c:569 __netif_receive_skb_one_core+0x199/0x1e0 linux/net/core/dev.c:5534 __netif_receive_skb+0x1f/0x1c0 linux/net/core/dev.c:5648 process_backlog+0x101/0x6b0 linux/net/core/dev.c:5976 __napi_poll.constprop.0+0xba/0x550 linux/net/core/dev.c:6576 napi_poll linux/net/core/dev.c:6645 net_rx_action+0x95a/0xe90 linux/net/core/dev.c:6781 __do_softirq+0x21f/0x8e7 linux/kernel/softirq.c:553 do_softirq linux/kernel/softirq.c:454 do_softirq+0xb2/0xf0 linux/kernel/softirq.c:441 </IRQ> <TASK> __local_bh_enable_ip+0x100/0x120 linux/kernel/softirq.c:381 local_bh_enable linux/./include/linux/bottom_half.h:33 rcu_read_unlock_bh linux/./include/linux/rcupdate.h:851 __dev_queue_xmit+0x871/0x3ee0 linux/net/core/dev.c:4378 dev_queue_xmit linux/./include/linux/netdevice.h:3169 neigh_hh_output linux/./include/net/neighbour.h:526 neigh_output linux/./include/net/neighbour.h:540 ip_finish_output2+0x169f/0x2550 linux/net/ipv4/ip_output.c:235 __ip_finish_output linux/net/ipv4/ip_output.c:313 __ip_finish_output+0x49e/0x950 linux/net/ipv4/ip_output.c:295 ip_finish_output+0x31/0x310 linux/net/ipv4/ip_output.c:323 NF_HOOK_COND linux/./include/linux/netfilter.h:303 ip_output+0x13b/0x2a0 linux/net/ipv4/ip_output.c:433 dst_output linux/./include/net/dst.h:451 ip_local_out linux/net/ipv4/ip_output.c:129 ip_send_skb+0x3e5/0x560 linux/net/ipv4/ip_output.c:1492 udp_send_skb+0x73f/0x1530 linux/net/ipv4/udp.c:963 udp_sendmsg+0x1a36/0x2b40 linux/net/ipv4/udp.c:1250 inet_sendmsg+0x105/0x140 linux/net/ipv4/af_inet.c:850 sock_sendmsg_nosec linux/net/socket.c:730 __sock_sendmsg linux/net/socket.c:745 __sys_sendto+0x42c/0x4e0 linux/net/socket.c:2191 __do_sys_sendto linux/net/socket.c:2203 __se_sys_sendto linux/net/socket.c:2199 __x64_sys_sendto+0xe0/0x1c0 linux/net/socket.c:2199 do_syscall_x64 linux/arch/x86/entry/common.c:52 do_syscall_ ---truncated---
AI Analysis
Technical Summary
CVE-2024-36886 is a high-severity use-after-free (UAF) vulnerability identified in the Linux kernel's Transparent Inter-Process Communication (TIPC) protocol implementation. The vulnerability arises specifically in the error handling path of the function tipc_buf_append(), where improper management of socket buffer (skb) memory leads to a use-after-free condition. This flaw was reported by Sam Page in collaboration with Trend Micro's Zero Day Initiative. The vulnerability is triggered when the kernel attempts to free skb structures incorrectly, causing a read operation on already freed memory, as detected by Kernel Address Sanitizer (KASAN). The detailed kernel stack trace shows the issue occurs within the network core subsystem, particularly in functions managing skb lifecycle such as kfree_skb_list_reason() and skb_release_data(). TIPC is a network protocol designed for efficient communication between nodes in a cluster, often used in high-availability and distributed systems. Exploiting this vulnerability could allow an unauthenticated attacker to execute arbitrary code, cause denial of service (system crash), or escalate privileges by manipulating kernel memory. The CVSS v3.1 score of 8.1 reflects the vulnerability's network attack vector, high impact on confidentiality, integrity, and availability, and the lack of required privileges or user interaction, though the attack complexity is high. The vulnerability affects Linux kernel versions prior to the patch release and is relevant to any Linux-based system utilizing TIPC, including servers, embedded devices, and cloud infrastructure. No known exploits are currently reported in the wild, but the critical nature of kernel memory corruption vulnerabilities necessitates prompt attention. The lack of a patch link in the provided data suggests that organizations should monitor official Linux kernel repositories and distributions for updates addressing this issue.
Potential Impact
For European organizations, the impact of CVE-2024-36886 can be significant, especially for those relying on Linux-based infrastructure in critical sectors such as telecommunications, finance, healthcare, and government services. Since TIPC is used in clustered and high-availability environments, exploitation could disrupt inter-node communication, leading to service outages or degraded performance. Confidentiality breaches could occur if attackers leverage the vulnerability to access sensitive data processed or transmitted by affected systems. Integrity and availability impacts could manifest as kernel panics or system crashes, potentially causing downtime and operational disruptions. Given the widespread use of Linux in European data centers, cloud providers, and enterprise environments, the vulnerability poses a risk to a broad range of systems. Attackers exploiting this flaw remotely without authentication could target exposed network interfaces, increasing the threat surface. The high attack complexity somewhat limits immediate exploitation but does not eliminate the risk, especially from sophisticated threat actors. The absence of known exploits in the wild provides a window for mitigation but should not lead to complacency.
Mitigation Recommendations
European organizations should implement the following specific mitigation strategies: 1. Immediate Patch Deployment: Monitor Linux kernel updates from trusted sources such as the official kernel.org repository and major Linux distributions (Debian, Ubuntu, Red Hat, SUSE). Apply patches addressing CVE-2024-36886 as soon as they become available. 2. Disable TIPC if Unused: If TIPC is not required for operational purposes, disable the TIPC kernel module to eliminate the attack vector. 3. Network Segmentation: Restrict access to network interfaces that handle TIPC traffic using firewalls and network segmentation to limit exposure to untrusted networks. 4. Intrusion Detection: Deploy kernel-level monitoring tools and network intrusion detection systems capable of identifying anomalous TIPC traffic or kernel memory corruption attempts. 5. Harden Kernel Security: Enable kernel security features such as Kernel Address Space Layout Randomization (KASLR), Kernel Page Table Isolation (KPTI), and seccomp filters to reduce exploitation success likelihood. 6. Incident Response Preparedness: Prepare for potential exploitation by ensuring robust backup and recovery procedures, and maintain up-to-date incident response plans focused on kernel-level compromises. 7. Vendor Coordination: Engage with Linux distribution vendors and hardware providers to receive timely advisories and support for patching and mitigation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-36886: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: tipc: fix UAF in error path Sam Page (sam4k) working with Trend Micro Zero Day Initiative reported a UAF in the tipc_buf_append() error path: BUG: KASAN: slab-use-after-free in kfree_skb_list_reason+0x47e/0x4c0 linux/net/core/skbuff.c:1183 Read of size 8 at addr ffff88804d2a7c80 by task poc/8034 CPU: 1 PID: 8034 Comm: poc Not tainted 6.8.2 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 Call Trace: <IRQ> __dump_stack linux/lib/dump_stack.c:88 dump_stack_lvl+0xd9/0x1b0 linux/lib/dump_stack.c:106 print_address_description linux/mm/kasan/report.c:377 print_report+0xc4/0x620 linux/mm/kasan/report.c:488 kasan_report+0xda/0x110 linux/mm/kasan/report.c:601 kfree_skb_list_reason+0x47e/0x4c0 linux/net/core/skbuff.c:1183 skb_release_data+0x5af/0x880 linux/net/core/skbuff.c:1026 skb_release_all linux/net/core/skbuff.c:1094 __kfree_skb linux/net/core/skbuff.c:1108 kfree_skb_reason+0x12d/0x210 linux/net/core/skbuff.c:1144 kfree_skb linux/./include/linux/skbuff.h:1244 tipc_buf_append+0x425/0xb50 linux/net/tipc/msg.c:186 tipc_link_input+0x224/0x7c0 linux/net/tipc/link.c:1324 tipc_link_rcv+0x76e/0x2d70 linux/net/tipc/link.c:1824 tipc_rcv+0x45f/0x10f0 linux/net/tipc/node.c:2159 tipc_udp_recv+0x73b/0x8f0 linux/net/tipc/udp_media.c:390 udp_queue_rcv_one_skb+0xad2/0x1850 linux/net/ipv4/udp.c:2108 udp_queue_rcv_skb+0x131/0xb00 linux/net/ipv4/udp.c:2186 udp_unicast_rcv_skb+0x165/0x3b0 linux/net/ipv4/udp.c:2346 __udp4_lib_rcv+0x2594/0x3400 linux/net/ipv4/udp.c:2422 ip_protocol_deliver_rcu+0x30c/0x4e0 linux/net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x2e4/0x520 linux/net/ipv4/ip_input.c:233 NF_HOOK linux/./include/linux/netfilter.h:314 NF_HOOK linux/./include/linux/netfilter.h:308 ip_local_deliver+0x18e/0x1f0 linux/net/ipv4/ip_input.c:254 dst_input linux/./include/net/dst.h:461 ip_rcv_finish linux/net/ipv4/ip_input.c:449 NF_HOOK linux/./include/linux/netfilter.h:314 NF_HOOK linux/./include/linux/netfilter.h:308 ip_rcv+0x2c5/0x5d0 linux/net/ipv4/ip_input.c:569 __netif_receive_skb_one_core+0x199/0x1e0 linux/net/core/dev.c:5534 __netif_receive_skb+0x1f/0x1c0 linux/net/core/dev.c:5648 process_backlog+0x101/0x6b0 linux/net/core/dev.c:5976 __napi_poll.constprop.0+0xba/0x550 linux/net/core/dev.c:6576 napi_poll linux/net/core/dev.c:6645 net_rx_action+0x95a/0xe90 linux/net/core/dev.c:6781 __do_softirq+0x21f/0x8e7 linux/kernel/softirq.c:553 do_softirq linux/kernel/softirq.c:454 do_softirq+0xb2/0xf0 linux/kernel/softirq.c:441 </IRQ> <TASK> __local_bh_enable_ip+0x100/0x120 linux/kernel/softirq.c:381 local_bh_enable linux/./include/linux/bottom_half.h:33 rcu_read_unlock_bh linux/./include/linux/rcupdate.h:851 __dev_queue_xmit+0x871/0x3ee0 linux/net/core/dev.c:4378 dev_queue_xmit linux/./include/linux/netdevice.h:3169 neigh_hh_output linux/./include/net/neighbour.h:526 neigh_output linux/./include/net/neighbour.h:540 ip_finish_output2+0x169f/0x2550 linux/net/ipv4/ip_output.c:235 __ip_finish_output linux/net/ipv4/ip_output.c:313 __ip_finish_output+0x49e/0x950 linux/net/ipv4/ip_output.c:295 ip_finish_output+0x31/0x310 linux/net/ipv4/ip_output.c:323 NF_HOOK_COND linux/./include/linux/netfilter.h:303 ip_output+0x13b/0x2a0 linux/net/ipv4/ip_output.c:433 dst_output linux/./include/net/dst.h:451 ip_local_out linux/net/ipv4/ip_output.c:129 ip_send_skb+0x3e5/0x560 linux/net/ipv4/ip_output.c:1492 udp_send_skb+0x73f/0x1530 linux/net/ipv4/udp.c:963 udp_sendmsg+0x1a36/0x2b40 linux/net/ipv4/udp.c:1250 inet_sendmsg+0x105/0x140 linux/net/ipv4/af_inet.c:850 sock_sendmsg_nosec linux/net/socket.c:730 __sock_sendmsg linux/net/socket.c:745 __sys_sendto+0x42c/0x4e0 linux/net/socket.c:2191 __do_sys_sendto linux/net/socket.c:2203 __se_sys_sendto linux/net/socket.c:2199 __x64_sys_sendto+0xe0/0x1c0 linux/net/socket.c:2199 do_syscall_x64 linux/arch/x86/entry/common.c:52 do_syscall_ ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-36886 is a high-severity use-after-free (UAF) vulnerability identified in the Linux kernel's Transparent Inter-Process Communication (TIPC) protocol implementation. The vulnerability arises specifically in the error handling path of the function tipc_buf_append(), where improper management of socket buffer (skb) memory leads to a use-after-free condition. This flaw was reported by Sam Page in collaboration with Trend Micro's Zero Day Initiative. The vulnerability is triggered when the kernel attempts to free skb structures incorrectly, causing a read operation on already freed memory, as detected by Kernel Address Sanitizer (KASAN). The detailed kernel stack trace shows the issue occurs within the network core subsystem, particularly in functions managing skb lifecycle such as kfree_skb_list_reason() and skb_release_data(). TIPC is a network protocol designed for efficient communication between nodes in a cluster, often used in high-availability and distributed systems. Exploiting this vulnerability could allow an unauthenticated attacker to execute arbitrary code, cause denial of service (system crash), or escalate privileges by manipulating kernel memory. The CVSS v3.1 score of 8.1 reflects the vulnerability's network attack vector, high impact on confidentiality, integrity, and availability, and the lack of required privileges or user interaction, though the attack complexity is high. The vulnerability affects Linux kernel versions prior to the patch release and is relevant to any Linux-based system utilizing TIPC, including servers, embedded devices, and cloud infrastructure. No known exploits are currently reported in the wild, but the critical nature of kernel memory corruption vulnerabilities necessitates prompt attention. The lack of a patch link in the provided data suggests that organizations should monitor official Linux kernel repositories and distributions for updates addressing this issue.
Potential Impact
For European organizations, the impact of CVE-2024-36886 can be significant, especially for those relying on Linux-based infrastructure in critical sectors such as telecommunications, finance, healthcare, and government services. Since TIPC is used in clustered and high-availability environments, exploitation could disrupt inter-node communication, leading to service outages or degraded performance. Confidentiality breaches could occur if attackers leverage the vulnerability to access sensitive data processed or transmitted by affected systems. Integrity and availability impacts could manifest as kernel panics or system crashes, potentially causing downtime and operational disruptions. Given the widespread use of Linux in European data centers, cloud providers, and enterprise environments, the vulnerability poses a risk to a broad range of systems. Attackers exploiting this flaw remotely without authentication could target exposed network interfaces, increasing the threat surface. The high attack complexity somewhat limits immediate exploitation but does not eliminate the risk, especially from sophisticated threat actors. The absence of known exploits in the wild provides a window for mitigation but should not lead to complacency.
Mitigation Recommendations
European organizations should implement the following specific mitigation strategies: 1. Immediate Patch Deployment: Monitor Linux kernel updates from trusted sources such as the official kernel.org repository and major Linux distributions (Debian, Ubuntu, Red Hat, SUSE). Apply patches addressing CVE-2024-36886 as soon as they become available. 2. Disable TIPC if Unused: If TIPC is not required for operational purposes, disable the TIPC kernel module to eliminate the attack vector. 3. Network Segmentation: Restrict access to network interfaces that handle TIPC traffic using firewalls and network segmentation to limit exposure to untrusted networks. 4. Intrusion Detection: Deploy kernel-level monitoring tools and network intrusion detection systems capable of identifying anomalous TIPC traffic or kernel memory corruption attempts. 5. Harden Kernel Security: Enable kernel security features such as Kernel Address Space Layout Randomization (KASLR), Kernel Page Table Isolation (KPTI), and seccomp filters to reduce exploitation success likelihood. 6. Incident Response Preparedness: Prepare for potential exploitation by ensuring robust backup and recovery procedures, and maintain up-to-date incident response plans focused on kernel-level compromises. 7. Vendor Coordination: Engage with Linux distribution vendors and hardware providers to receive timely advisories and support for patching and mitigation.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-30T15:25:07.065Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9828c4522896dcbe2587
Added to database: 5/21/2025, 9:08:56 AM
Last enriched: 7/3/2025, 12:40:53 AM
Last updated: 7/31/2025, 9:07:05 PM
Views: 9
Related Threats
CVE-2025-9093: Improper Export of Android Application Components in BuzzFeed App
MediumResearcher to release exploit for full auth bypass on FortiWeb
HighCVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.