CVE-2024-36928: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: s390/qeth: Fix kernel panic after setting hsuid Symptom: When the hsuid attribute is set for the first time on an IQD Layer3 device while the corresponding network interface is already UP, the kernel will try to execute a napi function pointer that is NULL. Example: --------------------------------------------------------------------------- [ 2057.572696] illegal operation: 0001 ilc:1 [#1] SMP [ 2057.572702] Modules linked in: af_iucv qeth_l3 zfcp scsi_transport_fc sunrpc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nf_tables_set nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink ghash_s390 prng xts aes_s390 des_s390 de s_generic sha3_512_s390 sha3_256_s390 sha512_s390 vfio_ccw vfio_mdev mdev vfio_iommu_type1 eadm_sch vfio ext4 mbcache jbd2 qeth_l2 bridge stp llc dasd_eckd_mod qeth dasd_mod qdio ccwgroup pkey zcrypt [ 2057.572739] CPU: 6 PID: 60182 Comm: stress_client Kdump: loaded Not tainted 4.18.0-541.el8.s390x #1 [ 2057.572742] Hardware name: IBM 3931 A01 704 (LPAR) [ 2057.572744] Krnl PSW : 0704f00180000000 0000000000000002 (0x2) [ 2057.572748] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:3 PM:0 RI:0 EA:3 [ 2057.572751] Krnl GPRS: 0000000000000004 0000000000000000 00000000a3b008d8 0000000000000000 [ 2057.572754] 00000000a3b008d8 cb923a29c779abc5 0000000000000000 00000000814cfd80 [ 2057.572756] 000000000000012c 0000000000000000 00000000a3b008d8 00000000a3b008d8 [ 2057.572758] 00000000bab6d500 00000000814cfd80 0000000091317e46 00000000814cfc68 [ 2057.572762] Krnl Code:#0000000000000000: 0000 illegal >0000000000000002: 0000 illegal 0000000000000004: 0000 illegal 0000000000000006: 0000 illegal 0000000000000008: 0000 illegal 000000000000000a: 0000 illegal 000000000000000c: 0000 illegal 000000000000000e: 0000 illegal [ 2057.572800] Call Trace: [ 2057.572801] ([<00000000ec639700>] 0xec639700) [ 2057.572803] [<00000000913183e2>] net_rx_action+0x2ba/0x398 [ 2057.572809] [<0000000091515f76>] __do_softirq+0x11e/0x3a0 [ 2057.572813] [<0000000090ce160c>] do_softirq_own_stack+0x3c/0x58 [ 2057.572817] ([<0000000090d2cbd6>] do_softirq.part.1+0x56/0x60) [ 2057.572822] [<0000000090d2cc60>] __local_bh_enable_ip+0x80/0x98 [ 2057.572825] [<0000000091314706>] __dev_queue_xmit+0x2be/0xd70 [ 2057.572827] [<000003ff803dd6d6>] afiucv_hs_send+0x24e/0x300 [af_iucv] [ 2057.572830] [<000003ff803dd88a>] iucv_send_ctrl+0x102/0x138 [af_iucv] [ 2057.572833] [<000003ff803de72a>] iucv_sock_connect+0x37a/0x468 [af_iucv] [ 2057.572835] [<00000000912e7e90>] __sys_connect+0xa0/0xd8 [ 2057.572839] [<00000000912e9580>] sys_socketcall+0x228/0x348 [ 2057.572841] [<0000000091514e1a>] system_call+0x2a6/0x2c8 [ 2057.572843] Last Breaking-Event-Address: [ 2057.572844] [<0000000091317e44>] __napi_poll+0x4c/0x1d8 [ 2057.572846] [ 2057.572847] Kernel panic - not syncing: Fatal exception in interrupt ------------------------------------------------------------------------------------------- Analysis: There is one napi structure per out_q: card->qdio.out_qs[i].napi The napi.poll functions are set during qeth_open(). Since commit 1cfef80d4c2b ("s390/qeth: Don't call dev_close/dev_open (DOWN/UP)") qeth_set_offline()/qeth_set_online() no longer call dev_close()/ dev_open(). So if qeth_free_qdio_queues() cleared card->qdio.out_qs[i].napi.poll while the network interface was UP and the card was offline, they are not set again. Reproduction: chzdev -e $devno layer2=0 ip link set dev $network_interface up echo 0 > /sys/bus/ccw ---truncated---
AI Analysis
Technical Summary
CVE-2024-36928 is a medium-severity vulnerability in the Linux kernel specifically affecting the s390 architecture's qeth network driver, which is used primarily on IBM Z mainframe systems. The issue arises when the hsuid attribute is set for the first time on an IQD Layer3 device while the corresponding network interface is already in the UP state. Under these conditions, the kernel attempts to execute a NULL napi (New API) function pointer, leading to a kernel panic. The root cause is linked to a change in the qeth driver behavior where qeth_set_offline() and qeth_set_online() no longer call dev_close() and dev_open(), respectively. This means that if the napi.poll functions were cleared when the network interface was UP but the card was offline, they are not properly reset, resulting in a NULL pointer dereference during network packet processing. The vulnerability manifests as a fatal exception in interrupt context, causing the system to panic and become unavailable. The affected Linux kernel versions include several commits prior to the fix, and the vulnerability is specific to the s390 architecture and the qeth driver. Exploitation requires local privileges (high privileges) and no user interaction, with an attack vector classified as local. The impact is limited to availability, as there is no confidentiality or integrity compromise. No known exploits are reported in the wild at this time.
Potential Impact
For European organizations, the impact of CVE-2024-36928 is primarily on availability of critical systems running Linux on IBM Z mainframes, which are used in sectors such as banking, finance, insurance, and government. A kernel panic on these systems can cause service outages, disrupt business operations, and potentially lead to data processing delays. Since the vulnerability requires local privileged access, the risk is higher in environments where multiple users have elevated permissions or where attackers can escalate privileges. The unavailability of mainframe services can have significant operational and financial consequences, especially in industries relying on high-availability systems. However, the vulnerability does not expose data confidentiality or integrity, limiting the scope of damage to denial-of-service conditions. Organizations with IBM Z infrastructure in Europe should be aware of this vulnerability and prioritize patching to maintain system stability and uptime.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address this vulnerability as soon as they become available from trusted sources or Linux distribution vendors. 2. Restrict local privileged access to IBM Z mainframe systems to trusted administrators only, minimizing the risk of exploitation. 3. Implement strict access controls and monitoring on systems running the s390 architecture to detect any unusual activity or attempts to set the hsuid attribute. 4. Regularly audit network interface configurations and avoid setting the hsuid attribute on IQD Layer3 devices while the interface is UP. 5. Use kernel live patching solutions if available to minimize downtime during patch deployment. 6. Maintain up-to-date backups and disaster recovery plans to quickly recover from potential kernel panics or system crashes. 7. Coordinate with IBM and Linux distribution vendors for any additional recommended mitigations or updates specific to the qeth driver and s390 platform.
Affected Countries
Germany, United Kingdom, France, Netherlands, Italy, Switzerland
CVE-2024-36928: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: s390/qeth: Fix kernel panic after setting hsuid Symptom: When the hsuid attribute is set for the first time on an IQD Layer3 device while the corresponding network interface is already UP, the kernel will try to execute a napi function pointer that is NULL. Example: --------------------------------------------------------------------------- [ 2057.572696] illegal operation: 0001 ilc:1 [#1] SMP [ 2057.572702] Modules linked in: af_iucv qeth_l3 zfcp scsi_transport_fc sunrpc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nf_tables_set nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink ghash_s390 prng xts aes_s390 des_s390 de s_generic sha3_512_s390 sha3_256_s390 sha512_s390 vfio_ccw vfio_mdev mdev vfio_iommu_type1 eadm_sch vfio ext4 mbcache jbd2 qeth_l2 bridge stp llc dasd_eckd_mod qeth dasd_mod qdio ccwgroup pkey zcrypt [ 2057.572739] CPU: 6 PID: 60182 Comm: stress_client Kdump: loaded Not tainted 4.18.0-541.el8.s390x #1 [ 2057.572742] Hardware name: IBM 3931 A01 704 (LPAR) [ 2057.572744] Krnl PSW : 0704f00180000000 0000000000000002 (0x2) [ 2057.572748] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:3 PM:0 RI:0 EA:3 [ 2057.572751] Krnl GPRS: 0000000000000004 0000000000000000 00000000a3b008d8 0000000000000000 [ 2057.572754] 00000000a3b008d8 cb923a29c779abc5 0000000000000000 00000000814cfd80 [ 2057.572756] 000000000000012c 0000000000000000 00000000a3b008d8 00000000a3b008d8 [ 2057.572758] 00000000bab6d500 00000000814cfd80 0000000091317e46 00000000814cfc68 [ 2057.572762] Krnl Code:#0000000000000000: 0000 illegal >0000000000000002: 0000 illegal 0000000000000004: 0000 illegal 0000000000000006: 0000 illegal 0000000000000008: 0000 illegal 000000000000000a: 0000 illegal 000000000000000c: 0000 illegal 000000000000000e: 0000 illegal [ 2057.572800] Call Trace: [ 2057.572801] ([<00000000ec639700>] 0xec639700) [ 2057.572803] [<00000000913183e2>] net_rx_action+0x2ba/0x398 [ 2057.572809] [<0000000091515f76>] __do_softirq+0x11e/0x3a0 [ 2057.572813] [<0000000090ce160c>] do_softirq_own_stack+0x3c/0x58 [ 2057.572817] ([<0000000090d2cbd6>] do_softirq.part.1+0x56/0x60) [ 2057.572822] [<0000000090d2cc60>] __local_bh_enable_ip+0x80/0x98 [ 2057.572825] [<0000000091314706>] __dev_queue_xmit+0x2be/0xd70 [ 2057.572827] [<000003ff803dd6d6>] afiucv_hs_send+0x24e/0x300 [af_iucv] [ 2057.572830] [<000003ff803dd88a>] iucv_send_ctrl+0x102/0x138 [af_iucv] [ 2057.572833] [<000003ff803de72a>] iucv_sock_connect+0x37a/0x468 [af_iucv] [ 2057.572835] [<00000000912e7e90>] __sys_connect+0xa0/0xd8 [ 2057.572839] [<00000000912e9580>] sys_socketcall+0x228/0x348 [ 2057.572841] [<0000000091514e1a>] system_call+0x2a6/0x2c8 [ 2057.572843] Last Breaking-Event-Address: [ 2057.572844] [<0000000091317e44>] __napi_poll+0x4c/0x1d8 [ 2057.572846] [ 2057.572847] Kernel panic - not syncing: Fatal exception in interrupt ------------------------------------------------------------------------------------------- Analysis: There is one napi structure per out_q: card->qdio.out_qs[i].napi The napi.poll functions are set during qeth_open(). Since commit 1cfef80d4c2b ("s390/qeth: Don't call dev_close/dev_open (DOWN/UP)") qeth_set_offline()/qeth_set_online() no longer call dev_close()/ dev_open(). So if qeth_free_qdio_queues() cleared card->qdio.out_qs[i].napi.poll while the network interface was UP and the card was offline, they are not set again. Reproduction: chzdev -e $devno layer2=0 ip link set dev $network_interface up echo 0 > /sys/bus/ccw ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-36928 is a medium-severity vulnerability in the Linux kernel specifically affecting the s390 architecture's qeth network driver, which is used primarily on IBM Z mainframe systems. The issue arises when the hsuid attribute is set for the first time on an IQD Layer3 device while the corresponding network interface is already in the UP state. Under these conditions, the kernel attempts to execute a NULL napi (New API) function pointer, leading to a kernel panic. The root cause is linked to a change in the qeth driver behavior where qeth_set_offline() and qeth_set_online() no longer call dev_close() and dev_open(), respectively. This means that if the napi.poll functions were cleared when the network interface was UP but the card was offline, they are not properly reset, resulting in a NULL pointer dereference during network packet processing. The vulnerability manifests as a fatal exception in interrupt context, causing the system to panic and become unavailable. The affected Linux kernel versions include several commits prior to the fix, and the vulnerability is specific to the s390 architecture and the qeth driver. Exploitation requires local privileges (high privileges) and no user interaction, with an attack vector classified as local. The impact is limited to availability, as there is no confidentiality or integrity compromise. No known exploits are reported in the wild at this time.
Potential Impact
For European organizations, the impact of CVE-2024-36928 is primarily on availability of critical systems running Linux on IBM Z mainframes, which are used in sectors such as banking, finance, insurance, and government. A kernel panic on these systems can cause service outages, disrupt business operations, and potentially lead to data processing delays. Since the vulnerability requires local privileged access, the risk is higher in environments where multiple users have elevated permissions or where attackers can escalate privileges. The unavailability of mainframe services can have significant operational and financial consequences, especially in industries relying on high-availability systems. However, the vulnerability does not expose data confidentiality or integrity, limiting the scope of damage to denial-of-service conditions. Organizations with IBM Z infrastructure in Europe should be aware of this vulnerability and prioritize patching to maintain system stability and uptime.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address this vulnerability as soon as they become available from trusted sources or Linux distribution vendors. 2. Restrict local privileged access to IBM Z mainframe systems to trusted administrators only, minimizing the risk of exploitation. 3. Implement strict access controls and monitoring on systems running the s390 architecture to detect any unusual activity or attempts to set the hsuid attribute. 4. Regularly audit network interface configurations and avoid setting the hsuid attribute on IQD Layer3 devices while the interface is UP. 5. Use kernel live patching solutions if available to minimize downtime during patch deployment. 6. Maintain up-to-date backups and disaster recovery plans to quickly recover from potential kernel panics or system crashes. 7. Coordinate with IBM and Linux distribution vendors for any additional recommended mitigations or updates specific to the qeth driver and s390 platform.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-30T15:25:07.069Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9821c4522896dcbddd6c
Added to database: 5/21/2025, 9:08:49 AM
Last enriched: 6/28/2025, 3:40:46 AM
Last updated: 8/14/2025, 8:21:12 PM
Views: 11
Related Threats
CVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.