CVE-2024-36938: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: bpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue Fix NULL pointer data-races in sk_psock_skb_ingress_enqueue() which syzbot reported [1]. [1] BUG: KCSAN: data-race in sk_psock_drop / sk_psock_skb_ingress_enqueue write to 0xffff88814b3278b8 of 8 bytes by task 10724 on cpu 1: sk_psock_stop_verdict net/core/skmsg.c:1257 [inline] sk_psock_drop+0x13e/0x1f0 net/core/skmsg.c:843 sk_psock_put include/linux/skmsg.h:459 [inline] sock_map_close+0x1a7/0x260 net/core/sock_map.c:1648 unix_release+0x4b/0x80 net/unix/af_unix.c:1048 __sock_release net/socket.c:659 [inline] sock_close+0x68/0x150 net/socket.c:1421 __fput+0x2c1/0x660 fs/file_table.c:422 __fput_sync+0x44/0x60 fs/file_table.c:507 __do_sys_close fs/open.c:1556 [inline] __se_sys_close+0x101/0x1b0 fs/open.c:1541 __x64_sys_close+0x1f/0x30 fs/open.c:1541 do_syscall_64+0xd3/0x1d0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 read to 0xffff88814b3278b8 of 8 bytes by task 10713 on cpu 0: sk_psock_data_ready include/linux/skmsg.h:464 [inline] sk_psock_skb_ingress_enqueue+0x32d/0x390 net/core/skmsg.c:555 sk_psock_skb_ingress_self+0x185/0x1e0 net/core/skmsg.c:606 sk_psock_verdict_apply net/core/skmsg.c:1008 [inline] sk_psock_verdict_recv+0x3e4/0x4a0 net/core/skmsg.c:1202 unix_read_skb net/unix/af_unix.c:2546 [inline] unix_stream_read_skb+0x9e/0xf0 net/unix/af_unix.c:2682 sk_psock_verdict_data_ready+0x77/0x220 net/core/skmsg.c:1223 unix_stream_sendmsg+0x527/0x860 net/unix/af_unix.c:2339 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x140/0x180 net/socket.c:745 ____sys_sendmsg+0x312/0x410 net/socket.c:2584 ___sys_sendmsg net/socket.c:2638 [inline] __sys_sendmsg+0x1e9/0x280 net/socket.c:2667 __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x46/0x50 net/socket.c:2674 do_syscall_64+0xd3/0x1d0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 value changed: 0xffffffff83d7feb0 -> 0x0000000000000000 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 10713 Comm: syz-executor.4 Tainted: G W 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 Prior to this, commit 4cd12c6065df ("bpf, sockmap: Fix NULL pointer dereference in sk_psock_verdict_data_ready()") fixed one NULL pointer similarly due to no protection of saved_data_ready. Here is another different caller causing the same issue because of the same reason. So we should protect it with sk_callback_lock read lock because the writer side in the sk_psock_drop() uses "write_lock_bh(&sk->sk_callback_lock);". To avoid errors that could happen in future, I move those two pairs of lock into the sk_psock_data_ready(), which is suggested by John Fastabend.
AI Analysis
Technical Summary
CVE-2024-36938 is a vulnerability identified in the Linux kernel, specifically within the Berkeley Packet Filter (BPF) and socket message (skmsg) subsystems. The flaw involves a NULL pointer dereference and data race condition in the function sk_psock_skb_ingress_enqueue(), which is responsible for handling socket message ingress queues. This vulnerability was detected by the Kernel Concurrency Sanitizer (KCSAN) as a data race between concurrent accesses to a pointer within the sk_psock structure, leading to potential dereferencing of a NULL pointer. The root cause is insufficient locking around the sk_psock data structures, particularly the lack of proper synchronization when accessing the sk_callback_lock. The vulnerability can cause kernel crashes (denial of service) due to NULL pointer dereference and potentially memory corruption due to data races. The issue arises when multiple kernel threads concurrently enqueue or drop socket messages without adequate locking, leading to inconsistent or invalid pointer states. The patch involves introducing proper read locks (sk_callback_lock) in sk_psock_data_ready() to synchronize access and prevent race conditions. This vulnerability is distinct but related to a prior fix (commit 4cd12c6065df) that addressed a similar NULL pointer dereference in sk_psock_verdict_data_ready(). The affected Linux kernel versions include those identified by the commit hash 604326b41a6fb9b4a78b6179335decee0365cd8c, indicating recent kernel releases. There are no known exploits in the wild at this time, and no CVSS score has been assigned yet. However, the vulnerability impacts core kernel networking components, which are critical for system stability and security.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions, especially those utilizing advanced networking features such as BPF and socket maps. The impact includes potential kernel panics and system crashes caused by NULL pointer dereferences, leading to denial of service (DoS). This can disrupt critical services, especially in environments relying on Linux servers for networking, cloud infrastructure, container orchestration (e.g., Kubernetes), and telecommunications. Given the kernel-level nature of the flaw, exploitation could also facilitate privilege escalation or unauthorized kernel memory access if combined with other vulnerabilities, although this is not explicitly confirmed. The data race condition may also lead to unpredictable kernel behavior, increasing the risk of system instability. European enterprises with large-scale Linux deployments, including cloud providers, financial institutions, and critical infrastructure operators, could face operational disruptions. Additionally, the vulnerability could affect embedded Linux devices used in industrial control systems and IoT, which are prevalent in manufacturing and energy sectors across Europe. The absence of known exploits reduces immediate risk, but the technical complexity of the flaw means skilled attackers or automated fuzzing tools could develop exploits over time.
Mitigation Recommendations
1. Immediate patching: Apply the official Linux kernel patches that address CVE-2024-36938 as soon as they are available from trusted sources or Linux distribution vendors. 2. Kernel version management: Ensure all Linux systems are running updated kernel versions that include the fix, especially for servers handling network traffic and BPF operations. 3. Restrict kernel module loading: Limit the ability to load or unload kernel modules to trusted administrators to reduce attack surface. 4. Network segmentation: Isolate critical Linux servers and limit exposure of vulnerable services to untrusted networks to reduce exploitation opportunities. 5. Monitoring and logging: Implement enhanced kernel and network monitoring to detect unusual crashes or anomalies that might indicate exploitation attempts. 6. Use of hardened kernels: Where possible, deploy hardened or security-focused Linux kernels that include additional concurrency and memory safety checks. 7. Container and virtualization security: For containerized environments, ensure host kernels are patched and consider runtime security tools that can detect kernel-level anomalies. 8. Incident response readiness: Prepare for potential denial of service incidents by having failover and recovery plans for critical Linux-based infrastructure.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-36938: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: bpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue Fix NULL pointer data-races in sk_psock_skb_ingress_enqueue() which syzbot reported [1]. [1] BUG: KCSAN: data-race in sk_psock_drop / sk_psock_skb_ingress_enqueue write to 0xffff88814b3278b8 of 8 bytes by task 10724 on cpu 1: sk_psock_stop_verdict net/core/skmsg.c:1257 [inline] sk_psock_drop+0x13e/0x1f0 net/core/skmsg.c:843 sk_psock_put include/linux/skmsg.h:459 [inline] sock_map_close+0x1a7/0x260 net/core/sock_map.c:1648 unix_release+0x4b/0x80 net/unix/af_unix.c:1048 __sock_release net/socket.c:659 [inline] sock_close+0x68/0x150 net/socket.c:1421 __fput+0x2c1/0x660 fs/file_table.c:422 __fput_sync+0x44/0x60 fs/file_table.c:507 __do_sys_close fs/open.c:1556 [inline] __se_sys_close+0x101/0x1b0 fs/open.c:1541 __x64_sys_close+0x1f/0x30 fs/open.c:1541 do_syscall_64+0xd3/0x1d0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 read to 0xffff88814b3278b8 of 8 bytes by task 10713 on cpu 0: sk_psock_data_ready include/linux/skmsg.h:464 [inline] sk_psock_skb_ingress_enqueue+0x32d/0x390 net/core/skmsg.c:555 sk_psock_skb_ingress_self+0x185/0x1e0 net/core/skmsg.c:606 sk_psock_verdict_apply net/core/skmsg.c:1008 [inline] sk_psock_verdict_recv+0x3e4/0x4a0 net/core/skmsg.c:1202 unix_read_skb net/unix/af_unix.c:2546 [inline] unix_stream_read_skb+0x9e/0xf0 net/unix/af_unix.c:2682 sk_psock_verdict_data_ready+0x77/0x220 net/core/skmsg.c:1223 unix_stream_sendmsg+0x527/0x860 net/unix/af_unix.c:2339 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x140/0x180 net/socket.c:745 ____sys_sendmsg+0x312/0x410 net/socket.c:2584 ___sys_sendmsg net/socket.c:2638 [inline] __sys_sendmsg+0x1e9/0x280 net/socket.c:2667 __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x46/0x50 net/socket.c:2674 do_syscall_64+0xd3/0x1d0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 value changed: 0xffffffff83d7feb0 -> 0x0000000000000000 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 10713 Comm: syz-executor.4 Tainted: G W 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 Prior to this, commit 4cd12c6065df ("bpf, sockmap: Fix NULL pointer dereference in sk_psock_verdict_data_ready()") fixed one NULL pointer similarly due to no protection of saved_data_ready. Here is another different caller causing the same issue because of the same reason. So we should protect it with sk_callback_lock read lock because the writer side in the sk_psock_drop() uses "write_lock_bh(&sk->sk_callback_lock);". To avoid errors that could happen in future, I move those two pairs of lock into the sk_psock_data_ready(), which is suggested by John Fastabend.
AI-Powered Analysis
Technical Analysis
CVE-2024-36938 is a vulnerability identified in the Linux kernel, specifically within the Berkeley Packet Filter (BPF) and socket message (skmsg) subsystems. The flaw involves a NULL pointer dereference and data race condition in the function sk_psock_skb_ingress_enqueue(), which is responsible for handling socket message ingress queues. This vulnerability was detected by the Kernel Concurrency Sanitizer (KCSAN) as a data race between concurrent accesses to a pointer within the sk_psock structure, leading to potential dereferencing of a NULL pointer. The root cause is insufficient locking around the sk_psock data structures, particularly the lack of proper synchronization when accessing the sk_callback_lock. The vulnerability can cause kernel crashes (denial of service) due to NULL pointer dereference and potentially memory corruption due to data races. The issue arises when multiple kernel threads concurrently enqueue or drop socket messages without adequate locking, leading to inconsistent or invalid pointer states. The patch involves introducing proper read locks (sk_callback_lock) in sk_psock_data_ready() to synchronize access and prevent race conditions. This vulnerability is distinct but related to a prior fix (commit 4cd12c6065df) that addressed a similar NULL pointer dereference in sk_psock_verdict_data_ready(). The affected Linux kernel versions include those identified by the commit hash 604326b41a6fb9b4a78b6179335decee0365cd8c, indicating recent kernel releases. There are no known exploits in the wild at this time, and no CVSS score has been assigned yet. However, the vulnerability impacts core kernel networking components, which are critical for system stability and security.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running vulnerable Linux kernel versions, especially those utilizing advanced networking features such as BPF and socket maps. The impact includes potential kernel panics and system crashes caused by NULL pointer dereferences, leading to denial of service (DoS). This can disrupt critical services, especially in environments relying on Linux servers for networking, cloud infrastructure, container orchestration (e.g., Kubernetes), and telecommunications. Given the kernel-level nature of the flaw, exploitation could also facilitate privilege escalation or unauthorized kernel memory access if combined with other vulnerabilities, although this is not explicitly confirmed. The data race condition may also lead to unpredictable kernel behavior, increasing the risk of system instability. European enterprises with large-scale Linux deployments, including cloud providers, financial institutions, and critical infrastructure operators, could face operational disruptions. Additionally, the vulnerability could affect embedded Linux devices used in industrial control systems and IoT, which are prevalent in manufacturing and energy sectors across Europe. The absence of known exploits reduces immediate risk, but the technical complexity of the flaw means skilled attackers or automated fuzzing tools could develop exploits over time.
Mitigation Recommendations
1. Immediate patching: Apply the official Linux kernel patches that address CVE-2024-36938 as soon as they are available from trusted sources or Linux distribution vendors. 2. Kernel version management: Ensure all Linux systems are running updated kernel versions that include the fix, especially for servers handling network traffic and BPF operations. 3. Restrict kernel module loading: Limit the ability to load or unload kernel modules to trusted administrators to reduce attack surface. 4. Network segmentation: Isolate critical Linux servers and limit exposure of vulnerable services to untrusted networks to reduce exploitation opportunities. 5. Monitoring and logging: Implement enhanced kernel and network monitoring to detect unusual crashes or anomalies that might indicate exploitation attempts. 6. Use of hardened kernels: Where possible, deploy hardened or security-focused Linux kernels that include additional concurrency and memory safety checks. 7. Container and virtualization security: For containerized environments, ensure host kernels are patched and consider runtime security tools that can detect kernel-level anomalies. 8. Incident response readiness: Prepare for potential denial of service incidents by having failover and recovery plans for critical Linux-based infrastructure.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-30T15:25:07.071Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9828c4522896dcbe2721
Added to database: 5/21/2025, 9:08:56 AM
Last enriched: 6/29/2025, 10:25:41 AM
Last updated: 8/2/2025, 12:59:42 AM
Views: 17
Related Threats
CVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighCVE-2025-8105: CWE-94 Improper Control of Generation of Code ('Code Injection') in pencidesign Soledad
HighCVE-2025-8719: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in reubenthiessen Translate This gTranslate Shortcode
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.