{"id":"CVE-2024-36971","summary":"net: fix __dst_negative_advice() race","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix __dst_negative_advice() race\n\n__dst_negative_advice() does not enforce proper RCU rules when\nsk-\u003edst_cache must be cleared, leading to possible UAF.\n\nRCU rules are that we must first clear sk-\u003esk_dst_cache,\nthen call dst_release(old_dst).\n\nNote that sk_dst_reset(sk) is implementing this protocol correctly,\nwhile __dst_negative_advice() uses the wrong order.\n\nGiven that ip6_negative_advice() has special logic\nagainst RTF_CACHE, this means each of the three -\u003enegative_advice()\nexisting methods must perform the sk_dst_reset() themselves.\n\nNote the check against NULL dst is centralized in\n__dst_negative_advice(), there is no need to duplicate\nit in various callbacks.\n\nMany thanks to Clement Lecigne for tracking this issue.\n\nThis old bug became visible after the blamed commit, using UDP sockets.","aliases":["A-343727534","ASB-A-343727534"],"modified":"2026-04-02T12:16:35.569383Z","published":"2024-06-10T09:03:23.878Z","related":["ALSA-2024:5363","SUSE-SU-2024:2372-1","SUSE-SU-2024:2385-1","SUSE-SU-2024:2394-1","SUSE-SU-2024:2495-1","SUSE-SU-2024:2571-1","SUSE-SU-2024:2896-1","SUSE-SU-2024:2939-1","SUSE-SU-2024:2973-1","SUSE-SU-2024:3565-1","SUSE-SU-2024:3585-1","SUSE-SU-2024:4081-1","SUSE-SU-2025:0238-1","SUSE-SU-2025:0239-1","SUSE-SU-2025:0240-1","SUSE-SU-2025:0241-1","SUSE-SU-2025:0242-1","SUSE-SU-2025:0243-1","SUSE-SU-2025:0244-1","SUSE-SU-2025:0245-1","SUSE-SU-2025:0246-1","SUSE-SU-2025:0248-1","SUSE-SU-2025:0249-1","SUSE-SU-2025:0250-1","SUSE-SU-2025:0251-1","SUSE-SU-2025:0252-1","SUSE-SU-2025:0253-1","SUSE-SU-2025:0254-1","SUSE-SU-2025:0255-1","SUSE-SU-2025:0260-1","SUSE-SU-2025:0261-1","SUSE-SU-2025:0263-1","SUSE-SU-2025:0264-1","SUSE-SU-2025:0266-1","SUSE-SU-2025:0268-1","SUSE-SU-2025:20008-1","SUSE-SU-2025:20028-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/36xxx/CVE-2024-36971.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/051c0bde9f0450a2ec3d62a86d2a0d2fad117f13"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2295a7ef5c8c49241bff769e7826ef2582e532a6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5af198c387128a9d2ddd620b0f0803564a4d4508"},{"type":"WEB","url":"https://git.kernel.org/stable/c/81dd3c82a456b0015461754be7cb2693991421b4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/92f1655aa2b2294d0b49925f3b875a634bd3b59e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b8af8e6118a6605f0e495a58d591ca94a85a50fc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/db0082825037794c5dba9959c9de13ca34cc5e72"},{"type":"WEB","url":"https://git.kernel.org/stable/c/eacb8b195579c174a6d3e12a9690b206eb7f28cf"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"},{"type":"WEB","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-36971"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/36xxx/CVE-2024-36971.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36971"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"a87cb3e48ee86d29868d3f59cfb9ce1a8fa63314"},{"fixed":"051c0bde9f0450a2ec3d62a86d2a0d2fad117f13"},{"fixed":"db0082825037794c5dba9959c9de13ca34cc5e72"},{"fixed":"2295a7ef5c8c49241bff769e7826ef2582e532a6"},{"fixed":"eacb8b195579c174a6d3e12a9690b206eb7f28cf"},{"fixed":"81dd3c82a456b0015461754be7cb2693991421b4"},{"fixed":"5af198c387128a9d2ddd620b0f0803564a4d4508"},{"fixed":"b8af8e6118a6605f0e495a58d591ca94a85a50fc"},{"fixed":"92f1655aa2b2294d0b49925f3b875a634bd3b59e"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-36971.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}