CVE-2024-36972: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: af_unix: Update unix_sk(sk)->oob_skb under sk_receive_queue lock. Billy Jheng Bing-Jhong reported a race between __unix_gc() and queue_oob(). __unix_gc() tries to garbage-collect close()d inflight sockets, and then if the socket has MSG_OOB in unix_sk(sk)->oob_skb, GC will drop the reference and set NULL to it locklessly. However, the peer socket still can send MSG_OOB message and queue_oob() can update unix_sk(sk)->oob_skb concurrently, leading NULL pointer dereference. [0] To fix the issue, let's update unix_sk(sk)->oob_skb under the sk_receive_queue's lock and take it everywhere we touch oob_skb. Note that we defer kfree_skb() in manage_oob() to silence lockdep false-positive (See [1]). [0]: BUG: kernel NULL pointer dereference, address: 0000000000000008 PF: supervisor write access in kernel mode PF: error_code(0x0002) - not-present page PGD 8000000009f5e067 P4D 8000000009f5e067 PUD 9f5d067 PMD 0 Oops: 0002 [#1] PREEMPT SMP PTI CPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc5-00191-gd091e579b864 #110 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Workqueue: events delayed_fput RIP: 0010:skb_dequeue (./include/linux/skbuff.h:2386 ./include/linux/skbuff.h:2402 net/core/skbuff.c:3847) Code: 39 e3 74 3e 8b 43 10 48 89 ef 83 e8 01 89 43 10 49 8b 44 24 08 49 c7 44 24 08 00 00 00 00 49 8b 14 24 49 c7 04 24 00 00 00 00 <48> 89 42 08 48 89 10 e8 e7 c5 42 00 4c 89 e0 5b 5d 41 5c c3 cc cc RSP: 0018:ffffc900001bfd48 EFLAGS: 00000002 RAX: 0000000000000000 RBX: ffff8880088f5ae8 RCX: 00000000361289f9 RDX: 0000000000000000 RSI: 0000000000000206 RDI: ffff8880088f5b00 RBP: ffff8880088f5b00 R08: 0000000000080000 R09: 0000000000000001 R10: 0000000000000003 R11: 0000000000000001 R12: ffff8880056b6a00 R13: ffff8880088f5280 R14: 0000000000000001 R15: ffff8880088f5a80 FS: 0000000000000000(0000) GS:ffff88807dd80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 0000000006314000 CR4: 00000000007506f0 PKRU: 55555554 Call Trace: <TASK> unix_release_sock (net/unix/af_unix.c:654) unix_release (net/unix/af_unix.c:1050) __sock_release (net/socket.c:660) sock_close (net/socket.c:1423) __fput (fs/file_table.c:423) delayed_fput (fs/file_table.c:444 (discriminator 3)) process_one_work (kernel/workqueue.c:3259) worker_thread (kernel/workqueue.c:3329 kernel/workqueue.c:3416) kthread (kernel/kthread.c:388) ret_from_fork (arch/x86/kernel/process.c:153) ret_from_fork_asm (arch/x86/entry/entry_64.S:257) </TASK> Modules linked in: CR2: 0000000000000008
AI Analysis
Technical Summary
CVE-2024-36972 is a high-severity vulnerability in the Linux kernel affecting the AF_UNIX socket implementation. The flaw arises from a race condition between the __unix_gc() garbage collection function and the queue_oob() function that handles out-of-band (OOB) data on UNIX domain sockets. Specifically, __unix_gc() attempts to clean up closed inflight sockets and, if the socket has MSG_OOB data referenced by unix_sk(sk)->oob_skb, it drops the reference and sets this pointer to NULL without proper locking. Concurrently, the peer socket can send MSG_OOB messages, and queue_oob() may update unix_sk(sk)->oob_skb simultaneously. This lack of synchronization leads to a NULL pointer dereference in kernel space, causing a kernel crash (kernel oops) and potential denial of service. The issue was reported by Billy Jheng Bing-Jhong and fixed by updating unix_sk(sk)->oob_skb under the sk_receive_queue lock to ensure proper synchronization. The patch also defers kfree_skb() calls in manage_oob() to avoid lock dependency false positives. The vulnerability affects multiple Linux kernel versions as identified by specific commit hashes. The CVSS v3.1 score is 7.5 (high), reflecting network attack vector, high impact on confidentiality, integrity, and availability, requiring low privileges but no user interaction. Exploitation results in kernel NULL pointer dereference, leading to system instability or crash, which could be leveraged for denial of service or potentially privilege escalation if combined with other vulnerabilities. No known exploits in the wild have been reported yet.
Potential Impact
For European organizations, this vulnerability poses a significant risk to systems running vulnerable Linux kernel versions, especially servers and infrastructure relying on UNIX domain sockets for inter-process communication. The kernel crash caused by the NULL pointer dereference can lead to denial of service, disrupting critical services and applications. In environments where Linux is used extensively, such as cloud providers, data centers, telecommunications, and industrial control systems, this could result in operational downtime and potential data loss. The high impact on confidentiality, integrity, and availability means that sensitive data and system stability could be compromised. Given the widespread use of Linux in European enterprises and public sector infrastructure, unpatched systems could be targeted by attackers to disrupt services or as part of multi-stage attacks. Although no exploits are currently known in the wild, the vulnerability's nature and severity warrant immediate attention to prevent potential exploitation.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernel versions as soon as vendor updates are available. Until patches are applied, organizations should: 1) Restrict network access to systems running vulnerable kernels, especially limiting untrusted users from accessing services that utilize UNIX domain sockets. 2) Monitor kernel logs and system stability for signs of crashes or oops events related to socket handling. 3) Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR) and Control Flow Integrity (CFI) to reduce exploitation risk. 4) Use containerization or sandboxing to isolate critical services that use UNIX sockets, limiting impact scope. 5) Implement strict privilege separation and minimize processes with the ability to create or interact with UNIX domain sockets. 6) Conduct thorough testing of kernel updates in staging environments to ensure compatibility and stability before deployment. 7) Maintain up-to-date intrusion detection systems tuned to detect anomalies in kernel behavior or socket communication patterns. These steps go beyond generic advice by focusing on access control, monitoring, and isolation specific to the vulnerability's mechanism.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2024-36972: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: af_unix: Update unix_sk(sk)->oob_skb under sk_receive_queue lock. Billy Jheng Bing-Jhong reported a race between __unix_gc() and queue_oob(). __unix_gc() tries to garbage-collect close()d inflight sockets, and then if the socket has MSG_OOB in unix_sk(sk)->oob_skb, GC will drop the reference and set NULL to it locklessly. However, the peer socket still can send MSG_OOB message and queue_oob() can update unix_sk(sk)->oob_skb concurrently, leading NULL pointer dereference. [0] To fix the issue, let's update unix_sk(sk)->oob_skb under the sk_receive_queue's lock and take it everywhere we touch oob_skb. Note that we defer kfree_skb() in manage_oob() to silence lockdep false-positive (See [1]). [0]: BUG: kernel NULL pointer dereference, address: 0000000000000008 PF: supervisor write access in kernel mode PF: error_code(0x0002) - not-present page PGD 8000000009f5e067 P4D 8000000009f5e067 PUD 9f5d067 PMD 0 Oops: 0002 [#1] PREEMPT SMP PTI CPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc5-00191-gd091e579b864 #110 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Workqueue: events delayed_fput RIP: 0010:skb_dequeue (./include/linux/skbuff.h:2386 ./include/linux/skbuff.h:2402 net/core/skbuff.c:3847) Code: 39 e3 74 3e 8b 43 10 48 89 ef 83 e8 01 89 43 10 49 8b 44 24 08 49 c7 44 24 08 00 00 00 00 49 8b 14 24 49 c7 04 24 00 00 00 00 <48> 89 42 08 48 89 10 e8 e7 c5 42 00 4c 89 e0 5b 5d 41 5c c3 cc cc RSP: 0018:ffffc900001bfd48 EFLAGS: 00000002 RAX: 0000000000000000 RBX: ffff8880088f5ae8 RCX: 00000000361289f9 RDX: 0000000000000000 RSI: 0000000000000206 RDI: ffff8880088f5b00 RBP: ffff8880088f5b00 R08: 0000000000080000 R09: 0000000000000001 R10: 0000000000000003 R11: 0000000000000001 R12: ffff8880056b6a00 R13: ffff8880088f5280 R14: 0000000000000001 R15: ffff8880088f5a80 FS: 0000000000000000(0000) GS:ffff88807dd80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 0000000006314000 CR4: 00000000007506f0 PKRU: 55555554 Call Trace: <TASK> unix_release_sock (net/unix/af_unix.c:654) unix_release (net/unix/af_unix.c:1050) __sock_release (net/socket.c:660) sock_close (net/socket.c:1423) __fput (fs/file_table.c:423) delayed_fput (fs/file_table.c:444 (discriminator 3)) process_one_work (kernel/workqueue.c:3259) worker_thread (kernel/workqueue.c:3329 kernel/workqueue.c:3416) kthread (kernel/kthread.c:388) ret_from_fork (arch/x86/kernel/process.c:153) ret_from_fork_asm (arch/x86/entry/entry_64.S:257) </TASK> Modules linked in: CR2: 0000000000000008
AI-Powered Analysis
Technical Analysis
CVE-2024-36972 is a high-severity vulnerability in the Linux kernel affecting the AF_UNIX socket implementation. The flaw arises from a race condition between the __unix_gc() garbage collection function and the queue_oob() function that handles out-of-band (OOB) data on UNIX domain sockets. Specifically, __unix_gc() attempts to clean up closed inflight sockets and, if the socket has MSG_OOB data referenced by unix_sk(sk)->oob_skb, it drops the reference and sets this pointer to NULL without proper locking. Concurrently, the peer socket can send MSG_OOB messages, and queue_oob() may update unix_sk(sk)->oob_skb simultaneously. This lack of synchronization leads to a NULL pointer dereference in kernel space, causing a kernel crash (kernel oops) and potential denial of service. The issue was reported by Billy Jheng Bing-Jhong and fixed by updating unix_sk(sk)->oob_skb under the sk_receive_queue lock to ensure proper synchronization. The patch also defers kfree_skb() calls in manage_oob() to avoid lock dependency false positives. The vulnerability affects multiple Linux kernel versions as identified by specific commit hashes. The CVSS v3.1 score is 7.5 (high), reflecting network attack vector, high impact on confidentiality, integrity, and availability, requiring low privileges but no user interaction. Exploitation results in kernel NULL pointer dereference, leading to system instability or crash, which could be leveraged for denial of service or potentially privilege escalation if combined with other vulnerabilities. No known exploits in the wild have been reported yet.
Potential Impact
For European organizations, this vulnerability poses a significant risk to systems running vulnerable Linux kernel versions, especially servers and infrastructure relying on UNIX domain sockets for inter-process communication. The kernel crash caused by the NULL pointer dereference can lead to denial of service, disrupting critical services and applications. In environments where Linux is used extensively, such as cloud providers, data centers, telecommunications, and industrial control systems, this could result in operational downtime and potential data loss. The high impact on confidentiality, integrity, and availability means that sensitive data and system stability could be compromised. Given the widespread use of Linux in European enterprises and public sector infrastructure, unpatched systems could be targeted by attackers to disrupt services or as part of multi-stage attacks. Although no exploits are currently known in the wild, the vulnerability's nature and severity warrant immediate attention to prevent potential exploitation.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernel versions as soon as vendor updates are available. Until patches are applied, organizations should: 1) Restrict network access to systems running vulnerable kernels, especially limiting untrusted users from accessing services that utilize UNIX domain sockets. 2) Monitor kernel logs and system stability for signs of crashes or oops events related to socket handling. 3) Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR) and Control Flow Integrity (CFI) to reduce exploitation risk. 4) Use containerization or sandboxing to isolate critical services that use UNIX sockets, limiting impact scope. 5) Implement strict privilege separation and minimize processes with the ability to create or interact with UNIX domain sockets. 6) Conduct thorough testing of kernel updates in staging environments to ensure compatibility and stability before deployment. 7) Maintain up-to-date intrusion detection systems tuned to detect anomalies in kernel behavior or socket communication patterns. These steps go beyond generic advice by focusing on access control, monitoring, and isolation specific to the vulnerability's mechanism.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-30T15:25:07.082Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9821c4522896dcbdddb0
Added to database: 5/21/2025, 9:08:49 AM
Last enriched: 7/2/2025, 9:56:28 PM
Last updated: 8/17/2025, 4:41:45 AM
Views: 46
Related Threats
Researcher to release exploit for full auth bypass on FortiWeb
HighCVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.