CVE-2024-36946 is a vulnerability identified in the Linux kernel's phonet networking subsystem, specifically related to the function rtm_phonet_notify(). The issue arises from improper allocation of socket buffer (skb) memory when constructing netlink messages. The function fill_route() stores three components in the skb: a struct rtmsg, RTA_DST (a u8 type), and RTA_OIF (a u32 type). However, rtm_phonet_notify() did not correctly calculate the required skb allocation size, leading to potential memory corruption or buffer overflows. The fix involves adjusting the skb allocation size to account for NLMSG_ALIGN(sizeof(struct rtmsg)) plus the total sizes of the nested attributes nla_total_size(1) and nla_total_size(4). This correction ensures that the skb buffer is properly sized to hold all components, preventing out-of-bounds writes or memory corruption. Although no known exploits are currently reported in the wild, the vulnerability could theoretically be leveraged by a local attacker or a process with the ability to trigger phonet netlink notifications to cause denial of service or potentially escalate privileges by corrupting kernel memory. The vulnerability affects specific Linux kernel versions identified by the commit hash f062f41d06575744b9eaf725eef8a5d3b5f5b7ca. The vulnerability was published on May 30, 2024, and is recognized by CISA as an enriched threat, though no CVSS score has been assigned yet.

For European organizations, the impact of CVE-2024-36946 depends largely on the deployment of Linux systems utilizing the phonet protocol, which is primarily used in mobile telephony and embedded systems. Enterprises running Linux servers or devices with affected kernel versions could face risks of kernel memory corruption leading to system instability or denial of service. In critical infrastructure sectors such as telecommunications, manufacturing, or automotive industries where embedded Linux devices are common, exploitation could disrupt operations or enable privilege escalation attacks. Although exploitation requires local access or the ability to trigger specific kernel functions, the widespread use of Linux in European data centers, telecom networks, and embedded devices means that unpatched systems could be vulnerable. The absence of known exploits reduces immediate risk, but the potential for future weaponization necessitates prompt attention. Additionally, organizations subject to strict EU data protection regulations (e.g., GDPR) must consider the confidentiality and integrity risks posed by kernel-level vulnerabilities that could lead to unauthorized access or data breaches.

European organizations should prioritize patching affected Linux kernel versions by applying the official fixes that correct skb allocation in rtm_phonet_notify(). System administrators should audit their Linux environments to identify systems running the vulnerable kernel commit (f062f41d06575744b9eaf725eef8a5d3b5f5b7ca) or earlier versions and upgrade to patched releases. For embedded or specialized devices, coordinate with vendors to obtain firmware updates incorporating the fix. Implement strict access controls to limit local user privileges and reduce the attack surface for kernel exploitation. Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR), SELinux/AppArmor policies, and seccomp filters to mitigate exploitation attempts. Monitor system logs and kernel messages for anomalies related to phonet netlink activity. In environments where immediate patching is not feasible, consider disabling the phonet protocol if it is not required, to eliminate exposure. Finally, maintain up-to-date intrusion detection systems capable of identifying suspicious kernel-level behavior.