CVE-2024-36979: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net: bridge: mst: fix vlan use-after-free syzbot reported a suspicious rcu usage[1] in bridge's mst code. While fixing it I noticed that nothing prevents a vlan to be freed while walking the list from the same path (br forward delay timer). Fix the rcu usage and also make sure we are not accessing freed memory by making br_mst_vlan_set_state use rcu read lock. [1] WARNING: suspicious RCU usage 6.9.0-rc6-syzkaller #0 Not tainted ----------------------------- net/bridge/br_private.h:1599 suspicious rcu_dereference_protected() usage! ... stack backtrace: CPU: 1 PID: 8017 Comm: syz-executor.1 Not tainted 6.9.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712 nbp_vlan_group net/bridge/br_private.h:1599 [inline] br_mst_set_state+0x1ea/0x650 net/bridge/br_mst.c:105 br_set_state+0x28a/0x7b0 net/bridge/br_stp.c:47 br_forward_delay_timer_expired+0x176/0x440 net/bridge/br_stp_timer.c:88 call_timer_fn+0x18e/0x650 kernel/time/timer.c:1793 expire_timers kernel/time/timer.c:1844 [inline] __run_timers kernel/time/timer.c:2418 [inline] __run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2429 run_timer_base kernel/time/timer.c:2438 [inline] run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2448 __do_softirq+0x2c6/0x980 kernel/softirq.c:554 invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu+0xf2/0x1c0 kernel/softirq.c:633 irq_exit_rcu+0x9/0x30 kernel/softirq.c:645 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 RIP: 0010:lock_acquire+0x264/0x550 kernel/locking/lockdep.c:5758 Code: 2b 00 74 08 4c 89 f7 e8 ba d1 84 00 f6 44 24 61 02 0f 85 85 01 00 00 41 f7 c7 00 02 00 00 74 01 fb 48 c7 44 24 40 0e 36 e0 45 <4b> c7 44 25 00 00 00 00 00 43 c7 44 25 09 00 00 00 00 43 c7 44 25 RSP: 0018:ffffc90013657100 EFLAGS: 00000206 RAX: 0000000000000001 RBX: 1ffff920026cae2c RCX: 0000000000000001 RDX: dffffc0000000000 RSI: ffffffff8bcaca00 RDI: ffffffff8c1eaa60 RBP: ffffc90013657260 R08: ffffffff92efe507 R09: 1ffffffff25dfca0 R10: dffffc0000000000 R11: fffffbfff25dfca1 R12: 1ffff920026cae28 R13: dffffc0000000000 R14: ffffc90013657160 R15: 0000000000000246
AI Analysis
Technical Summary
CVE-2024-36979 is a use-after-free vulnerability in the Linux kernel's network bridge module, specifically within the Multiple Spanning Tree (MST) protocol implementation. The issue arises from improper handling of VLAN objects during state transitions in the bridge's MST code. The vulnerability was identified through syzbot, which reported suspicious Read-Copy-Update (RCU) usage patterns indicating potential unsafe memory access. The root cause is that the code does not prevent a VLAN from being freed while simultaneously traversing the VLAN list during the bridge forward delay timer execution. This can lead to dereferencing freed memory, causing undefined behavior such as kernel crashes or potential escalation of privileges. The fix involved correcting the RCU usage by adding proper RCU read locks in the br_mst_vlan_set_state function to ensure safe access to VLAN structures during state changes. The vulnerability affects Linux kernel versions prior to the patch and is related to the internal locking and timer mechanisms of the bridge MST implementation. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The vulnerability is technical and low-level, affecting the kernel's network bridging functionality, which is widely used in virtualized environments, container platforms, and network appliances running Linux.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems that utilize Linux bridging with MST enabled, such as data center servers, cloud infrastructure, and network appliances. Exploitation could lead to kernel crashes (denial of service) or potentially privilege escalation if an attacker can trigger use-after-free conditions to execute arbitrary code in kernel space. This could disrupt critical services, especially in sectors relying heavily on Linux-based virtualization and container orchestration platforms (e.g., telecommunications, finance, and public sector). The impact on confidentiality and integrity depends on the exploitability of the use-after-free condition, which is non-trivial but possible with local access. Availability impact is more straightforward due to potential kernel panics. Given the Linux kernel's prevalence in European IT infrastructure, unpatched systems could be vulnerable to targeted attacks or accidental crashes, affecting operational continuity.
Mitigation Recommendations
European organizations should prioritize patching Linux kernels with the latest updates that address CVE-2024-36979. Specifically, they should: 1) Identify all systems running Linux kernels with network bridge MST enabled; 2) Apply vendor-provided kernel patches or upgrade to kernel versions that include the fix; 3) Where immediate patching is not feasible, consider disabling MST bridging functionality if it is not essential to reduce attack surface; 4) Implement strict access controls to limit local user access to trusted personnel only, as exploitation requires local code execution; 5) Monitor kernel logs and system behavior for signs of crashes or suspicious activity related to bridging timers; 6) Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR) and Control Flow Integrity (CFI) to reduce exploitation likelihood; 7) In virtualized environments, isolate critical workloads and limit bridge exposure to untrusted tenants or users.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2024-36979: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net: bridge: mst: fix vlan use-after-free syzbot reported a suspicious rcu usage[1] in bridge's mst code. While fixing it I noticed that nothing prevents a vlan to be freed while walking the list from the same path (br forward delay timer). Fix the rcu usage and also make sure we are not accessing freed memory by making br_mst_vlan_set_state use rcu read lock. [1] WARNING: suspicious RCU usage 6.9.0-rc6-syzkaller #0 Not tainted ----------------------------- net/bridge/br_private.h:1599 suspicious rcu_dereference_protected() usage! ... stack backtrace: CPU: 1 PID: 8017 Comm: syz-executor.1 Not tainted 6.9.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712 nbp_vlan_group net/bridge/br_private.h:1599 [inline] br_mst_set_state+0x1ea/0x650 net/bridge/br_mst.c:105 br_set_state+0x28a/0x7b0 net/bridge/br_stp.c:47 br_forward_delay_timer_expired+0x176/0x440 net/bridge/br_stp_timer.c:88 call_timer_fn+0x18e/0x650 kernel/time/timer.c:1793 expire_timers kernel/time/timer.c:1844 [inline] __run_timers kernel/time/timer.c:2418 [inline] __run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2429 run_timer_base kernel/time/timer.c:2438 [inline] run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2448 __do_softirq+0x2c6/0x980 kernel/softirq.c:554 invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu+0xf2/0x1c0 kernel/softirq.c:633 irq_exit_rcu+0x9/0x30 kernel/softirq.c:645 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 RIP: 0010:lock_acquire+0x264/0x550 kernel/locking/lockdep.c:5758 Code: 2b 00 74 08 4c 89 f7 e8 ba d1 84 00 f6 44 24 61 02 0f 85 85 01 00 00 41 f7 c7 00 02 00 00 74 01 fb 48 c7 44 24 40 0e 36 e0 45 <4b> c7 44 25 00 00 00 00 00 43 c7 44 25 09 00 00 00 00 43 c7 44 25 RSP: 0018:ffffc90013657100 EFLAGS: 00000206 RAX: 0000000000000001 RBX: 1ffff920026cae2c RCX: 0000000000000001 RDX: dffffc0000000000 RSI: ffffffff8bcaca00 RDI: ffffffff8c1eaa60 RBP: ffffc90013657260 R08: ffffffff92efe507 R09: 1ffffffff25dfca0 R10: dffffc0000000000 R11: fffffbfff25dfca1 R12: 1ffff920026cae28 R13: dffffc0000000000 R14: ffffc90013657160 R15: 0000000000000246
AI-Powered Analysis
Technical Analysis
CVE-2024-36979 is a use-after-free vulnerability in the Linux kernel's network bridge module, specifically within the Multiple Spanning Tree (MST) protocol implementation. The issue arises from improper handling of VLAN objects during state transitions in the bridge's MST code. The vulnerability was identified through syzbot, which reported suspicious Read-Copy-Update (RCU) usage patterns indicating potential unsafe memory access. The root cause is that the code does not prevent a VLAN from being freed while simultaneously traversing the VLAN list during the bridge forward delay timer execution. This can lead to dereferencing freed memory, causing undefined behavior such as kernel crashes or potential escalation of privileges. The fix involved correcting the RCU usage by adding proper RCU read locks in the br_mst_vlan_set_state function to ensure safe access to VLAN structures during state changes. The vulnerability affects Linux kernel versions prior to the patch and is related to the internal locking and timer mechanisms of the bridge MST implementation. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The vulnerability is technical and low-level, affecting the kernel's network bridging functionality, which is widely used in virtualized environments, container platforms, and network appliances running Linux.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems that utilize Linux bridging with MST enabled, such as data center servers, cloud infrastructure, and network appliances. Exploitation could lead to kernel crashes (denial of service) or potentially privilege escalation if an attacker can trigger use-after-free conditions to execute arbitrary code in kernel space. This could disrupt critical services, especially in sectors relying heavily on Linux-based virtualization and container orchestration platforms (e.g., telecommunications, finance, and public sector). The impact on confidentiality and integrity depends on the exploitability of the use-after-free condition, which is non-trivial but possible with local access. Availability impact is more straightforward due to potential kernel panics. Given the Linux kernel's prevalence in European IT infrastructure, unpatched systems could be vulnerable to targeted attacks or accidental crashes, affecting operational continuity.
Mitigation Recommendations
European organizations should prioritize patching Linux kernels with the latest updates that address CVE-2024-36979. Specifically, they should: 1) Identify all systems running Linux kernels with network bridge MST enabled; 2) Apply vendor-provided kernel patches or upgrade to kernel versions that include the fix; 3) Where immediate patching is not feasible, consider disabling MST bridging functionality if it is not essential to reduce attack surface; 4) Implement strict access controls to limit local user access to trusted personnel only, as exploitation requires local code execution; 5) Monitor kernel logs and system behavior for signs of crashes or suspicious activity related to bridging timers; 6) Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR) and Control Flow Integrity (CFI) to reduce exploitation likelihood; 7) In virtualized environments, isolate critical workloads and limit bridge exposure to untrusted tenants or users.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-30T15:25:07.082Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9829c4522896dcbe2891
Added to database: 5/21/2025, 9:08:57 AM
Last enriched: 6/29/2025, 10:56:04 AM
Last updated: 8/11/2025, 9:30:58 AM
Views: 11
Related Threats
CVE-2025-57703: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumCVE-2025-57702: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumCVE-2025-57701: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumCVE-2025-57700: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
HighCVE-2025-9109: Observable Response Discrepancy in Portabilis i-Diario
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.