CVE-2024-36971

Name: CVE-2024-36971
Creator: NVD / NIST
Published: 2024-06-10T09:15:09.127+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.8/10Actively ExploitedEPSS 2.70%

Last modified Jun 17, 2026

CVE-2024-36971 is a high-severity vulnerability rated 7.8/10 on the CVSS scale. In the Linux kernel, the following vulnerability has been resolved: net: fix __dst_negative_advice() race __dst_negative_advice() does not enforce proper RCU rules when sk->dst_cache must be cleared, leading to possible UAF. RCU rules are that we must first clear sk->sk_dst_cache, then call dst_release(old_dst). Note that sk_dst_reset(sk) is implementing this protocol correctly, while __dst_negative_advice() uses the wrong order. Given that ip6_negative_advice() has special logic against RTF_CACHE, this means each of the three ->negative_advice() existing methods must perform the sk_dst_reset() themselves. Note the check against NULL dst is centralized in __dst_negative_advice(), there is no need to duplicate it in various callbacks. Many thanks to Clement Lecigne for tracking this issue. This old bug became visible after the blamed commit, using UDP sockets.. CISA has confirmed active exploitation in the wild. EPSS estimates a 2.70% chance of exploitation in the next 30 days.

Description

In the Linux kernel, the following vulnerability has been resolved: net: fix __dst_negative_advice() race __dst_negative_advice() does not enforce proper RCU rules when sk->dst_cache must be cleared, leading to possible UAF. RCU rules are that we must first clear sk->sk_dst_cache, then call dst_release(old_dst). Note that sk_dst_reset(sk) is implementing this protocol correctly, while __dst_negative_advice() uses the wrong order. Given that ip6_negative_advice() has special logic against RTF_CACHE, this means each of the three ->negative_advice() existing methods must perform the sk_dst_reset() themselves. Note the check against NULL dst is centralized in __dst_negative_advice(), there is no need to duplicate it in various callbacks. Many thanks to Clement Lecigne for tracking this issue. This old bug became visible after the blamed commit, using UDP sockets.

Metrics

CVSS 3.1

7.8/10

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

2.70%

84.0th percentile

Probability of exploitation in the next 30 days. Learn more

Exploitation Status

This vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Federal agencies must remediate by Aug 28, 2024.

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Debian	Debian Linux	10.0
Linux	Linux Kernel	>= 4.6, < 4.19.316
Linux	Linux Kernel	>= 4.20, < 5.4.278
Linux	Linux Kernel	>= 5.5, < 5.10.219
Linux	Linux Kernel	>= 5.11, < 5.15.161
Linux	Linux Kernel	>= 5.16, < 6.1.94
Linux	Linux Kernel	>= 6.2, < 6.6.34
Linux	Linux Kernel	>= 6.7, < 6.9.4

References

Timeline

Published: Jun 10, 2024
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2024-36971?

How severe is CVE-2024-36971?

CVE-2024-36971 has a CVSS score of 7.8/10 (HIGH severity). The EPSS model estimates a 2.70% probability of exploitation in the next 30 days. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

How do I fix CVE-2024-36971?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-36971?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST