CVE-2024-36904 - OpenCVE

Vendors	Products
Redhat	Enterprise Linux Rhel Aus Rhel E4s Rhel Eus Rhel Tus

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 8
kernel-rt-0:4.18.0-553.16.1.rt7.357.el8_10	cpe:/a:redhat:enterprise_linux:8::nfv	RHSA-2024:5102	2024-08-08T00:00:00Z
kernel-0:4.18.0-553.16.1.el8_10	cpe:/o:redhat:enterprise_linux:8	RHSA-2024:5101	2024-08-08T00:00:00Z
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
kernel-0:4.18.0-372.119.1.el8_6	cpe:/o:redhat:rhel_aus:8.6	RHSA-2024:5692	2024-08-21T00:00:00Z
Red Hat Enterprise Linux 8.6 Telecommunications Update Service
kernel-0:4.18.0-372.119.1.el8_6	cpe:/o:redhat:rhel_tus:8.6	RHSA-2024:5692	2024-08-21T00:00:00Z
Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
kernel-0:4.18.0-372.119.1.el8_6	cpe:/o:redhat:rhel_e4s:8.6	RHSA-2024:5692	2024-08-21T00:00:00Z
Red Hat Enterprise Linux 8.8 Extended Update Support
kernel-0:4.18.0-477.70.1.el8_8	cpe:/o:redhat:rhel_eus:8.8	RHSA-2024:6206	2024-09-03T00:00:00Z
Red Hat Enterprise Linux 9
kernel-0:5.14.0-427.26.1.el9_4	cpe:/a:redhat:enterprise_linux:9	RHSA-2024:4583	2024-07-17T00:00:00Z
kernel-0:5.14.0-427.26.1.el9_4	cpe:/o:redhat:enterprise_linux:9	RHSA-2024:4583	2024-07-17T00:00:00Z
Red Hat Enterprise Linux 9.2 Extended Update Support
kernel-0:5.14.0-284.75.1.el9_2	cpe:/a:redhat:rhel_eus:9.2	RHSA-2024:4823	2024-07-24T00:00:00Z
kernel-rt-0:5.14.0-284.75.1.rt14.360.el9_2	cpe:/a:redhat:rhel_eus:9.2::nfv	RHSA-2024:4831	2024-07-24T00:00:00Z

Link	Providers
https://git.kernel.org/stable/c/13ed7cdf079686ccd3618335205700c03f6fb446
https://git.kernel.org/stable/c/1796ca9c6f5bd50554214053af5f47d112818ee3
https://git.kernel.org/stable/c/1d9cf07810c30ef7948879567d10fd1f01121d34
https://git.kernel.org/stable/c/27b0284d8be182a81feb65581ab6a724dfd596e8
https://git.kernel.org/stable/c/517e32ea0a8c72202d0d8aa8df50a7cd3d6fdefc
https://git.kernel.org/stable/c/6e48faad92be13166184d21506e4e54c79c13adc
https://git.kernel.org/stable/c/84546cc1aeeb4df3e444b18a4293c9823f974be9
https://git.kernel.org/stable/c/f2db7230f73a80dbb179deab78f88a7947f0ab7e
https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
https://lore.kernel.org/linux-cve-announce/2024053036-CVE-2024-36904-2273@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2024-36904
https://security.netapp.com/advisory/ntap-20240905-0004/
https://www.cve.org/CVERecord?id=CVE-2024-36904

Type	Values Removed	Values Added
CPEs		cpe:/o:redhat:rhel_eus:8.8

Type	Values Removed	Values Added
References		https://security.netapp.com/advisory/ntap-20240905-0004/

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Aus Redhat rhel E4s Redhat rhel Tus
CPEs		cpe:/o:redhat:rhel_aus:8.6 cpe:/o:redhat:rhel_e4s:8.6 cpe:/o:redhat:rhel_tus:8.6
Vendors & Products		Redhat rhel Aus Redhat rhel E4s Redhat rhel Tus

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:enterprise_linux:8::nfv cpe:/o:redhat:enterprise_linux:8

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-36904", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-05-30T15:25:07.067Z", "datePublished": "2024-05-30T15:29:05.457Z", "dateUpdated": "2024-09-05T08:03:30.442Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-05-30T15:29:05.457Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Use refcount_inc_not_zero() in tcp_twsk_unique().\n\nAnderson Nascimento reported a use-after-free splat in tcp_twsk_unique()\nwith nice analysis.\n\nSince commit ec94c2696f0b (\"tcp/dccp: avoid one atomic operation for\ntimewait hashdance\"), inet_twsk_hashdance() sets TIME-WAIT socket's\nsk_refcnt after putting it into ehash and releasing the bucket lock.\n\nThus, there is a small race window where other threads could try to\nreuse the port during connect() and call sock_hold() in tcp_twsk_unique()\nfor the TIME-WAIT socket with zero refcnt.\n\nIf that happens, the refcnt taken by tcp_twsk_unique() is overwritten\nand sock_put() will cause underflow, triggering a real use-after-free\nsomewhere else.\n\nTo avoid the use-after-free, we need to use refcount_inc_not_zero() in\ntcp_twsk_unique() and give up on reusing the port if it returns false.\n\n[0]:\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 0 PID: 1039313 at lib/refcount.c:25 refcount_warn_saturate+0xe5/0x110\nCPU: 0 PID: 1039313 Comm: trigger Not tainted 6.8.6-200.fc39.x86_64 #1\nHardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.21805430.B64.2305221830 05/22/2023\nRIP: 0010:refcount_warn_saturate+0xe5/0x110\nCode: 42 8e ff 0f 0b c3 cc cc cc cc 80 3d aa 13 ea 01 00 0f 85 5e ff ff ff 48 c7 c7 f8 8e b7 82 c6 05 96 13 ea 01 01 e8 7b 42 8e ff <0f> 0b c3 cc cc cc cc 48 c7 c7 50 8f b7 82 c6 05 7a 13 ea 01 01 e8\nRSP: 0018:ffffc90006b43b60 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: ffff888009bb3ef0 RCX: 0000000000000027\nRDX: ffff88807be218c8 RSI: 0000000000000001 RDI: ffff88807be218c0\nRBP: 0000000000069d70 R08: 0000000000000000 R09: ffffc90006b439f0\nR10: ffffc90006b439e8 R11: 0000000000000003 R12: ffff8880029ede84\nR13: 0000000000004e20 R14: ffffffff84356dc0 R15: ffff888009bb3ef0\nFS: 00007f62c10926c0(0000) GS:ffff88807be00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020ccb000 CR3: 000000004628c005 CR4: 0000000000f70ef0\nPKRU: 55555554\nCall Trace:\n <TASK>\n ? refcount_warn_saturate+0xe5/0x110\n ? __warn+0x81/0x130\n ? refcount_warn_saturate+0xe5/0x110\n ? report_bug+0x171/0x1a0\n ? refcount_warn_saturate+0xe5/0x110\n ? handle_bug+0x3c/0x80\n ? exc_invalid_op+0x17/0x70\n ? asm_exc_invalid_op+0x1a/0x20\n ? refcount_warn_saturate+0xe5/0x110\n tcp_twsk_unique+0x186/0x190\n __inet_check_established+0x176/0x2d0\n __inet_hash_connect+0x74/0x7d0\n ? __pfx___inet_check_established+0x10/0x10\n tcp_v4_connect+0x278/0x530\n __inet_stream_connect+0x10f/0x3d0\n inet_stream_connect+0x3a/0x60\n __sys_connect+0xa8/0xd0\n __x64_sys_connect+0x18/0x20\n do_syscall_64+0x83/0x170\n entry_SYSCALL_64_after_hwframe+0x78/0x80\nRIP: 0033:0x7f62c11a885d\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a3 45 0c 00 f7 d8 64 89 01 48\nRSP: 002b:00007f62c1091e58 EFLAGS: 00000296 ORIG_RAX: 000000000000002a\nRAX: ffffffffffffffda RBX: 0000000020ccb004 RCX: 00007f62c11a885d\nRDX: 0000000000000010 RSI: 0000000020ccb000 RDI: 0000000000000003\nRBP: 00007f62c1091e90 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000296 R12: 00007f62c10926c0\nR13: ffffffffffffff88 R14: 0000000000000000 R15: 00007ffe237885b0\n </TASK>"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv4/tcp_ipv4.c"], "versions": [{"version": "ec94c2696f0b", "lessThan": "84546cc1aeeb", "status": "affected", "versionType": "git"}, {"version": "ec94c2696f0b", "lessThan": "1796ca9c6f5b", "status": "affected", "versionType": "git"}, {"version": "ec94c2696f0b", "lessThan": "1d9cf07810c3", "status": "affected", "versionType": "git"}, {"version": "ec94c2696f0b", "lessThan": "27b0284d8be1", "status": "affected", "versionType": "git"}, {"version": "ec94c2696f0b", "lessThan": "13ed7cdf0796", "status": "affected", "versionType": "git"}, {"version": "ec94c2696f0b", "lessThan": "6e48faad92be", "status": "affected", "versionType": "git"}, {"version": "ec94c2696f0b", "lessThan": "517e32ea0a8c", "status": "affected", "versionType": "git"}, {"version": "ec94c2696f0b", "lessThan": "f2db7230f73a", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ipv4/tcp_ipv4.c"], "versions": [{"version": "4.16", "status": "affected"}, {"version": "0", "lessThan": "4.16", "status": "unaffected", "versionType": "custom"}, {"version": "4.19.314", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "custom"}, {"version": "5.4.276", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "custom"}, {"version": "5.10.217", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "custom"}, {"version": "5.15.159", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.1.91", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.6.31", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.8.10", "lessThanOrEqual": "6.8.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.9", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/84546cc1aeeb4df3e444b18a4293c9823f974be9"}, {"url": "https://git.kernel.org/stable/c/1796ca9c6f5bd50554214053af5f47d112818ee3"}, {"url": "https://git.kernel.org/stable/c/1d9cf07810c30ef7948879567d10fd1f01121d34"}, {"url": "https://git.kernel.org/stable/c/27b0284d8be182a81feb65581ab6a724dfd596e8"}, {"url": "https://git.kernel.org/stable/c/13ed7cdf079686ccd3618335205700c03f6fb446"}, {"url": "https://git.kernel.org/stable/c/6e48faad92be13166184d21506e4e54c79c13adc"}, {"url": "https://git.kernel.org/stable/c/517e32ea0a8c72202d0d8aa8df50a7cd3d6fdefc"}, {"url": "https://git.kernel.org/stable/c/f2db7230f73a80dbb179deab78f88a7947f0ab7e"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html"}], "title": "tcp: Use refcount_inc_not_zero() in tcp_twsk_unique().", "x_generator": {"engine": "bippy-a5840b7849dd"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-12T19:20:22.181493Z", "id": "CVE-2024-36904", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-12T19:20:38.310Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/84546cc1aeeb4df3e444b18a4293c9823f974be9", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/1796ca9c6f5bd50554214053af5f47d112818ee3", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/1d9cf07810c30ef7948879567d10fd1f01121d34", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/27b0284d8be182a81feb65581ab6a724dfd596e8", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/13ed7cdf079686ccd3618335205700c03f6fb446", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/6e48faad92be13166184d21506e4e54c79c13adc", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/517e32ea0a8c72202d0d8aa8df50a7cd3d6fdefc", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/f2db7230f73a80dbb179deab78f88a7947f0ab7e", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240905-0004/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-09-05T08:03:30.442Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/84546cc1aeeb4df3e444b18a4293c9823f974be9", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/1796ca9c6f5bd50554214053af5f47d112818ee3", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/1d9cf07810c30ef7948879567d10fd1f01121d34", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/27b0284d8be182a81feb65581ab6a724dfd596e8", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/13ed7cdf079686ccd3618335205700c03f6fb446", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/6e48faad92be13166184d21506e4e54c79c13adc", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/517e32ea0a8c72202d0d8aa8df50a7cd3d6fdefc", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/f2db7230f73a80dbb179deab78f88a7947f0ab7e", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240905-0004/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-09-05T08:03:30.442Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-36904", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-12T19:20:22.181493Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-12T19:20:34.515Z"}}], "cna": {"title": "tcp: Use refcount_inc_not_zero() in tcp_twsk_unique().", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "ec94c2696f0b", "lessThan": "84546cc1aeeb", "versionType": "git"}, {"status": "affected", "version": "ec94c2696f0b", "lessThan": "1796ca9c6f5b", "versionType": "git"}, {"status": "affected", "version": "ec94c2696f0b", "lessThan": "1d9cf07810c3", "versionType": "git"}, {"status": "affected", "version": "ec94c2696f0b", "lessThan": "27b0284d8be1", "versionType": "git"}, {"status": "affected", "version": "ec94c2696f0b", "lessThan": "13ed7cdf0796", "versionType": "git"}, {"status": "affected", "version": "ec94c2696f0b", "lessThan": "6e48faad92be", "versionType": "git"}, {"status": "affected", "version": "ec94c2696f0b", "lessThan": "517e32ea0a8c", "versionType": "git"}, {"status": "affected", "version": "ec94c2696f0b", "lessThan": "f2db7230f73a", "versionType": "git"}], "programFiles": ["net/ipv4/tcp_ipv4.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "4.16"}, {"status": "unaffected", "version": "0", "lessThan": "4.16", "versionType": "custom"}, {"status": "unaffected", "version": "4.19.314", "versionType": "custom", "lessThanOrEqual": "4.19.*"}, {"status": "unaffected", "version": "5.4.276", "versionType": "custom", "lessThanOrEqual": "5.4.*"}, {"status": "unaffected", "version": "5.10.217", "versionType": "custom", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.15.159", "versionType": "custom", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.91", "versionType": "custom", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.31", "versionType": "custom", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.8.10", "versionType": "custom", "lessThanOrEqual": "6.8.*"}, {"status": "unaffected", "version": "6.9", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["net/ipv4/tcp_ipv4.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/84546cc1aeeb4df3e444b18a4293c9823f974be9"}, {"url": "https://git.kernel.org/stable/c/1796ca9c6f5bd50554214053af5f47d112818ee3"}, {"url": "https://git.kernel.org/stable/c/1d9cf07810c30ef7948879567d10fd1f01121d34"}, {"url": "https://git.kernel.org/stable/c/27b0284d8be182a81feb65581ab6a724dfd596e8"}, {"url": "https://git.kernel.org/stable/c/13ed7cdf079686ccd3618335205700c03f6fb446"}, {"url": "https://git.kernel.org/stable/c/6e48faad92be13166184d21506e4e54c79c13adc"}, {"url": "https://git.kernel.org/stable/c/517e32ea0a8c72202d0d8aa8df50a7cd3d6fdefc"}, {"url": "https://git.kernel.org/stable/c/f2db7230f73a80dbb179deab78f88a7947f0ab7e"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html"}], "x_generator": {"engine": "bippy-a5840b7849dd"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Use refcount_inc_not_zero() in tcp_twsk_unique().\n\nAnderson Nascimento reported a use-after-free splat in tcp_twsk_unique()\nwith nice analysis.\n\nSince commit ec94c2696f0b (\"tcp/dccp: avoid one atomic operation for\ntimewait hashdance\"), inet_twsk_hashdance() sets TIME-WAIT socket's\nsk_refcnt after putting it into ehash and releasing the bucket lock.\n\nThus, there is a small race window where other threads could try to\nreuse the port during connect() and call sock_hold() in tcp_twsk_unique()\nfor the TIME-WAIT socket with zero refcnt.\n\nIf that happens, the refcnt taken by tcp_twsk_unique() is overwritten\nand sock_put() will cause underflow, triggering a real use-after-free\nsomewhere else.\n\nTo avoid the use-after-free, we need to use refcount_inc_not_zero() in\ntcp_twsk_unique() and give up on reusing the port if it returns false.\n\n[0]:\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 0 PID: 1039313 at lib/refcount.c:25 refcount_warn_saturate+0xe5/0x110\nCPU: 0 PID: 1039313 Comm: trigger Not tainted 6.8.6-200.fc39.x86_64 #1\nHardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.21805430.B64.2305221830 05/22/2023\nRIP: 0010:refcount_warn_saturate+0xe5/0x110\nCode: 42 8e ff 0f 0b c3 cc cc cc cc 80 3d aa 13 ea 01 00 0f 85 5e ff ff ff 48 c7 c7 f8 8e b7 82 c6 05 96 13 ea 01 01 e8 7b 42 8e ff <0f> 0b c3 cc cc cc cc 48 c7 c7 50 8f b7 82 c6 05 7a 13 ea 01 01 e8\nRSP: 0018:ffffc90006b43b60 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: ffff888009bb3ef0 RCX: 0000000000000027\nRDX: ffff88807be218c8 RSI: 0000000000000001 RDI: ffff88807be218c0\nRBP: 0000000000069d70 R08: 0000000000000000 R09: ffffc90006b439f0\nR10: ffffc90006b439e8 R11: 0000000000000003 R12: ffff8880029ede84\nR13: 0000000000004e20 R14: ffffffff84356dc0 R15: ffff888009bb3ef0\nFS: 00007f62c10926c0(0000) GS:ffff88807be00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020ccb000 CR3: 000000004628c005 CR4: 0000000000f70ef0\nPKRU: 55555554\nCall Trace:\n <TASK>\n ? refcount_warn_saturate+0xe5/0x110\n ? __warn+0x81/0x130\n ? refcount_warn_saturate+0xe5/0x110\n ? report_bug+0x171/0x1a0\n ? refcount_warn_saturate+0xe5/0x110\n ? handle_bug+0x3c/0x80\n ? exc_invalid_op+0x17/0x70\n ? asm_exc_invalid_op+0x1a/0x20\n ? refcount_warn_saturate+0xe5/0x110\n tcp_twsk_unique+0x186/0x190\n __inet_check_established+0x176/0x2d0\n __inet_hash_connect+0x74/0x7d0\n ? __pfx___inet_check_established+0x10/0x10\n tcp_v4_connect+0x278/0x530\n __inet_stream_connect+0x10f/0x3d0\n inet_stream_connect+0x3a/0x60\n __sys_connect+0xa8/0xd0\n __x64_sys_connect+0x18/0x20\n do_syscall_64+0x83/0x170\n entry_SYSCALL_64_after_hwframe+0x78/0x80\nRIP: 0033:0x7f62c11a885d\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a3 45 0c 00 f7 d8 64 89 01 48\nRSP: 002b:00007f62c1091e58 EFLAGS: 00000296 ORIG_RAX: 000000000000002a\nRAX: ffffffffffffffda RBX: 0000000020ccb004 RCX: 00007f62c11a885d\nRDX: 0000000000000010 RSI: 0000000020ccb000 RDI: 0000000000000003\nRBP: 00007f62c1091e90 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000296 R12: 00007f62c10926c0\nR13: ffffffffffffff88 R14: 0000000000000000 R15: 00007ffe237885b0\n </TASK>"}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-05-30T15:29:05.457Z"}}}, "cveMetadata": {"cveId": "CVE-2024-36904", "state": "PUBLISHED", "dateUpdated": "2024-09-05T08:03:30.442Z", "dateReserved": "2024-05-30T15:25:07.067Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-05-30T15:29:05.457Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Use refcount_inc_not_zero() in tcp_twsk_unique().\n\nAnderson Nascimento reported a use-after-free splat in tcp_twsk_unique()\nwith nice analysis.\n\nSince commit ec94c2696f0b (\"tcp/dccp: avoid one atomic operation for\ntimewait hashdance\"), inet_twsk_hashdance() sets TIME-WAIT socket's\nsk_refcnt after putting it into ehash and releasing the bucket lock.\n\nThus, there is a small race window where other threads could try to\nreuse the port during connect() and call sock_hold() in tcp_twsk_unique()\nfor the TIME-WAIT socket with zero refcnt.\n\nIf that happens, the refcnt taken by tcp_twsk_unique() is overwritten\nand sock_put() will cause underflow, triggering a real use-after-free\nsomewhere else.\n\nTo avoid the use-after-free, we need to use refcount_inc_not_zero() in\ntcp_twsk_unique() and give up on reusing the port if it returns false.\n\n[0]:\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 0 PID: 1039313 at lib/refcount.c:25 refcount_warn_saturate+0xe5/0x110\nCPU: 0 PID: 1039313 Comm: trigger Not tainted 6.8.6-200.fc39.x86_64 #1\nHardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.21805430.B64.2305221830 05/22/2023\nRIP: 0010:refcount_warn_saturate+0xe5/0x110\nCode: 42 8e ff 0f 0b c3 cc cc cc cc 80 3d aa 13 ea 01 00 0f 85 5e ff ff ff 48 c7 c7 f8 8e b7 82 c6 05 96 13 ea 01 01 e8 7b 42 8e ff <0f> 0b c3 cc cc cc cc 48 c7 c7 50 8f b7 82 c6 05 7a 13 ea 01 01 e8\nRSP: 0018:ffffc90006b43b60 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: ffff888009bb3ef0 RCX: 0000000000000027\nRDX: ffff88807be218c8 RSI: 0000000000000001 RDI: ffff88807be218c0\nRBP: 0000000000069d70 R08: 0000000000000000 R09: ffffc90006b439f0\nR10: ffffc90006b439e8 R11: 0000000000000003 R12: ffff8880029ede84\nR13: 0000000000004e20 R14: ffffffff84356dc0 R15: ffff888009bb3ef0\nFS: 00007f62c10926c0(0000) GS:ffff88807be00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020ccb000 CR3: 000000004628c005 CR4: 0000000000f70ef0\nPKRU: 55555554\nCall Trace:\n <TASK>\n ? refcount_warn_saturate+0xe5/0x110\n ? __warn+0x81/0x130\n ? refcount_warn_saturate+0xe5/0x110\n ? report_bug+0x171/0x1a0\n ? refcount_warn_saturate+0xe5/0x110\n ? handle_bug+0x3c/0x80\n ? exc_invalid_op+0x17/0x70\n ? asm_exc_invalid_op+0x1a/0x20\n ? refcount_warn_saturate+0xe5/0x110\n tcp_twsk_unique+0x186/0x190\n __inet_check_established+0x176/0x2d0\n __inet_hash_connect+0x74/0x7d0\n ? __pfx___inet_check_established+0x10/0x10\n tcp_v4_connect+0x278/0x530\n __inet_stream_connect+0x10f/0x3d0\n inet_stream_connect+0x3a/0x60\n __sys_connect+0xa8/0xd0\n __x64_sys_connect+0x18/0x20\n do_syscall_64+0x83/0x170\n entry_SYSCALL_64_after_hwframe+0x78/0x80\nRIP: 0033:0x7f62c11a885d\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a3 45 0c 00 f7 d8 64 89 01 48\nRSP: 002b:00007f62c1091e58 EFLAGS: 00000296 ORIG_RAX: 000000000000002a\nRAX: ffffffffffffffda RBX: 0000000020ccb004 RCX: 00007f62c11a885d\nRDX: 0000000000000010 RSI: 0000000020ccb000 RDI: 0000000000000003\nRBP: 00007f62c1091e90 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000296 R12: 00007f62c10926c0\nR13: ffffffffffffff88 R14: 0000000000000000 R15: 00007ffe237885b0\n </TASK>"}, {"lang": "es", "value": "En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: tcp: utilice refcount_inc_not_zero() en tcp_twsk_unique(). Anderson Nascimento inform\u00f3 sobre un s\u00edmbolo de use after free en tcp_twsk_unique() con un buen an\u00e1lisis. Desde el commit ec94c2696f0b (\"tcp/dccp: evitar una operaci\u00f3n at\u00f3mica para timewait hashdance\"), inet_twsk_hashdance() establece el sk_refcnt del socket TIME-WAIT despu\u00e9s de ponerlo en ehash y liberar el bloqueo del dep\u00f3sito. Por lo tanto, hay una peque\u00f1a ventana de ejecuci\u00f3n donde otros subprocesos podr\u00edan intentar reutilizar el puerto durante connect() y llamar a sock_hold() en tcp_twsk_unique() para el socket TIME-WAIT con cero refcnt. Si eso sucede, el refcnt tomado por tcp_twsk_unique() se sobrescribe y sock_put() provocar\u00e1 un desbordamiento insuficiente, lo que desencadenar\u00e1 un use after free real en otro lugar. Para evitar el use after free, debemos usar refcount_inc_not_zero() en tcp_twsk_unique() y renunciar a reutilizar el puerto si devuelve falso. [0]: refcount_t: suma en 0; use after free. ADVERTENCIA: CPU: 0 PID: 1039313 en lib/refcount.c:25 refcount_warn_saturate+0xe5/0x110 CPU: 0 PID: 1039313 Comm: disparador No contaminado 6.8.6-200.fc39.x86_64 #1 Nombre de hardware: VMware, Inc. Plataforma de referencia de escritorio VMware20,1/440BX, BIOS VMW201.00V.21805430.B64.2305221830 22/05/2023 RIP: 0010:refcount_warn_saturate+0xe5/0x110 C\u00f3digo: 42 8e ff 0f 0b c3 cc cc cc 80 3d aa 13 cada uno 01 00 0f 85 5e ff ff 48 c7 c7 f8 8e b7 82 c6 05 96 13 ea 01 01 e8 7b 42 8e ff <0f> 0b c3 cc cc cc cc 48 c7 c7 50 8f b7 82 c6 05 7a 13 ea 0 1 e8 RSP: 0018:ffffc90006b43b60 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff888009bb3ef0 RCX: 00000000000000027 RDX: ffff88807be218c8 RSI: 00000000001 RDI: ffff88807be218c0 RBP: 0000000000069d70 R08: 0000000000000000 R09: ffffc90006b439f0 R10: ffffc90006b439e8 R11: 000000000000 0003 R12: ffff8880029ede84 R13: 0000000000004e20 R14: ffffffff84356dc0 R15: ffff888009bb3ef0 FS: 00007f62c10926c0(0000) GS:ffff88807be00000(0000) knlGS:00000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020ccb000 CR3: 000000004628c005 CR4: 0000000000f70ef0 PKRU: 55555554 Seguimiento de llamadas: ? refcount_warn_saturate+0xe5/0x110? __advertir+0x81/0x130 ? refcount_warn_saturate+0xe5/0x110? report_bug+0x171/0x1a0? refcount_warn_saturate+0xe5/0x110? handle_bug+0x3c/0x80? exc_invalid_op+0x17/0x70? asm_exc_invalid_op+0x1a/0x20? refcount_warn_saturate+0xe5/0x110 tcp_twsk_unique+0x186/0x190 __inet_check_establecido+0x176/0x2d0 __inet_hash_connect+0x74/0x7d0 ? __pfx___inet_check_establecido+0x10/0x10 tcp_v4_connect+0x278/0x530 __inet_stream_connect+0x10f/0x3d0 inet_stream_connect+0x3a/0x60 __sys_connect+0xa8/0xd0 __x64_sys_connect+0x18/0x20 _64+0x83/0x170 entrada_SYSCALL_64_after_hwframe+0x78/0x80 RIP: 0033:0x7f62c11a885d C\u00f3digo: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff 73 01 c3 48 8b 0d a3 45 0c 00 f7 d8 64 89 01 48 RSP: 002b:00007f62c1091e58 EFLAGS: 00000296 ORIG_RAX: 0000000000000002a RAX: ffffffffffffffda RBX: 20ccb004 RCX: 00007f62c11a885d RDX: 00000000000000010 RSI: 0000000020ccb000 RDI: 0000000000000003 RBP: 00007f62c1091e90 R08: 0000000000000 0000R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000296 R12: 00007f62c10926c0 R13: ffffffffffffff88 R14: 0000000000000000 R15: 07ffe237885b0 "}], "id": "CVE-2024-36904", "lastModified": "2024-06-27T13:16:00.043", "metrics": {}, "published": "2024-05-30T16:15:13.947", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/13ed7cdf079686ccd3618335205700c03f6fb446"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1796ca9c6f5bd50554214053af5f47d112818ee3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1d9cf07810c30ef7948879567d10fd1f01121d34"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/27b0284d8be182a81feb65581ab6a724dfd596e8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/517e32ea0a8c72202d0d8aa8df50a7cd3d6fdefc"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6e48faad92be13166184d21506e4e54c79c13adc"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/84546cc1aeeb4df3e444b18a4293c9823f974be9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f2db7230f73a80dbb179deab78f88a7947f0ab7e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"affected_release": [{"advisory": "RHSA-2024:5102", "cpe": "cpe:/a:redhat:enterprise_linux:8::nfv", "package": "kernel-rt-0:4.18.0-553.16.1.rt7.357.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5101", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "kernel-0:4.18.0-553.16.1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5692", "cpe": "cpe:/o:redhat:rhel_aus:8.6", "package": "kernel-0:4.18.0-372.119.1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2024-08-21T00:00:00Z"}, {"advisory": "RHSA-2024:5692", "cpe": "cpe:/o:redhat:rhel_tus:8.6", "package": "kernel-0:4.18.0-372.119.1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2024-08-21T00:00:00Z"}, {"advisory": "RHSA-2024:5692", "cpe": "cpe:/o:redhat:rhel_e4s:8.6", "package": "kernel-0:4.18.0-372.119.1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2024-08-21T00:00:00Z"}, {"advisory": "RHSA-2024:6206", "cpe": "cpe:/o:redhat:rhel_eus:8.8", "package": "kernel-0:4.18.0-477.70.1.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-09-03T00:00:00Z"}, {"advisory": "RHSA-2024:4583", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-427.26.1.el9_4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-07-17T00:00:00Z"}, {"advisory": "RHSA-2024:4583", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-427.26.1.el9_4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-07-17T00:00:00Z"}, {"advisory": "RHSA-2024:4823", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "kernel-0:5.14.0-284.75.1.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-07-24T00:00:00Z"}, {"advisory": "RHSA-2024:4831", "cpe": "cpe:/a:redhat:rhel_eus:9.2::nfv", "package": "kernel-rt-0:5.14.0-284.75.1.rt14.360.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-07-24T00:00:00Z"}], "bugzilla": {"description": "kernel: tcp: Use refcount_inc_not_zero() in tcp_twsk_unique().", "id": "2284541", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2284541"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-416", "details": ["In the Linux kernel, the following vulnerability has been resolved:\ntcp: Use refcount_inc_not_zero() in tcp_twsk_unique().\nAnderson Nascimento reported a use-after-free splat in tcp_twsk_unique()\nwith nice analysis.\nSince commit ec94c2696f0b (\"tcp/dccp: avoid one atomic operation for\ntimewait hashdance\"), inet_twsk_hashdance() sets TIME-WAIT socket's\nsk_refcnt after putting it into ehash and releasing the bucket lock.\nThus, there is a small race window where other threads could try to\nreuse the port during connect() and call sock_hold() in tcp_twsk_unique()\nfor the TIME-WAIT socket with zero refcnt.\nIf that happens, the refcnt taken by tcp_twsk_unique() is overwritten\nand sock_put() will cause underflow, triggering a real use-after-free\nsomewhere else.\nTo avoid the use-after-free, we need to use refcount_inc_not_zero() in\ntcp_twsk_unique() and give up on reusing the port if it returns false.\n[0]:\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 0 PID: 1039313 at lib/refcount.c:25 refcount_warn_saturate+0xe5/0x110\nCPU: 0 PID: 1039313 Comm: trigger Not tainted 6.8.6-200.fc39.x86_64 #1\nHardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.21805430.B64.2305221830 05/22/2023\nRIP: 0010:refcount_warn_saturate+0xe5/0x110\nCode: 42 8e ff 0f 0b c3 cc cc cc cc 80 3d aa 13 ea 01 00 0f 85 5e ff ff ff 48 c7 c7 f8 8e b7 82 c6 05 96 13 ea 01 01 e8 7b 42 8e ff <0f> 0b c3 cc cc cc cc 48 c7 c7 50 8f b7 82 c6 05 7a 13 ea 01 01 e8\nRSP: 0018:ffffc90006b43b60 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: ffff888009bb3ef0 RCX: 0000000000000027\nRDX: ffff88807be218c8 RSI: 0000000000000001 RDI: ffff88807be218c0\nRBP: 0000000000069d70 R08: 0000000000000000 R09: ffffc90006b439f0\nR10: ffffc90006b439e8 R11: 0000000000000003 R12: ffff8880029ede84\nR13: 0000000000004e20 R14: ffffffff84356dc0 R15: ffff888009bb3ef0\nFS: 00007f62c10926c0(0000) GS:ffff88807be00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020ccb000 CR3: 000000004628c005 CR4: 0000000000f70ef0\nPKRU: 55555554\nCall Trace:\n<TASK>\n? refcount_warn_saturate+0xe5/0x110\n? __warn+0x81/0x130\n? refcount_warn_saturate+0xe5/0x110\n? report_bug+0x171/0x1a0\n? refcount_warn_saturate+0xe5/0x110\n? handle_bug+0x3c/0x80\n? exc_invalid_op+0x17/0x70\n? asm_exc_invalid_op+0x1a/0x20\n? refcount_warn_saturate+0xe5/0x110\ntcp_twsk_unique+0x186/0x190\n__inet_check_established+0x176/0x2d0\n__inet_hash_connect+0x74/0x7d0\n? __pfx___inet_check_established+0x10/0x10\ntcp_v4_connect+0x278/0x530\n__inet_stream_connect+0x10f/0x3d0\ninet_stream_connect+0x3a/0x60\n__sys_connect+0xa8/0xd0\n__x64_sys_connect+0x18/0x20\ndo_syscall_64+0x83/0x170\nentry_SYSCALL_64_after_hwframe+0x78/0x80\nRIP: 0033:0x7f62c11a885d\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a3 45 0c 00 f7 d8 64 89 01 48\nRSP: 002b:00007f62c1091e58 EFLAGS: 00000296 ORIG_RAX: 000000000000002a\nRAX: ffffffffffffffda RBX: 0000000020ccb004 RCX: 00007f62c11a885d\nRDX: 0000000000000010 RSI: 0000000020ccb000 RDI: 0000000000000003\nRBP: 00007f62c1091e90 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000296 R12: 00007f62c10926c0\nR13: ffffffffffffff88 R14: 0000000000000000 R15: 00007ffe237885b0\n</TASK>", "A use-after-free flaw was found in the Linux kernel\u2019s TCP protocol in how a local user triggers a complex race condition during connection to the socket. This flaw allows a local user to crash or potentially escalate their privileges on the system."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-36904", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-05-30T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-36904\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-36904\nhttps://lore.kernel.org/linux-cve-announce/2024053036-CVE-2024-36904-2273@gregkh/T"], "threat_severity": "Moderate", "upstream_fix": "kernel 4.19.314, kernel 5.4.276, kernel 5.10.217, kernel 5.15.159, kernel 6.1.91, kernel 6.6.31, kernel 6.8.10, kernel 6.9"}

Metrics

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Affected Vendors & Products

Metrics

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object