{"dataType":"CVE_RECORD","cveMetadata":{"cveId":"CVE-2024-36886","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-05-30T15:25:07.065Z","datePublished":"2024-05-30T15:28:55.059Z","dateUpdated":"2026-05-11T20:16:23.394Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T20:16:23.394Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix UAF in error path\n\nSam Page (sam4k) working with Trend Micro Zero Day Initiative reported\na UAF in the tipc_buf_append() error path:\n\nBUG: KASAN: slab-use-after-free in kfree_skb_list_reason+0x47e/0x4c0\nlinux/net/core/skbuff.c:1183\nRead of size 8 at addr ffff88804d2a7c80 by task poc/8034\n\nCPU: 1 PID: 8034 Comm: poc Not tainted 6.8.2 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.16.0-debian-1.16.0-5 04/01/2014\nCall Trace:\n <IRQ>\n __dump_stack linux/lib/dump_stack.c:88\n dump_stack_lvl+0xd9/0x1b0 linux/lib/dump_stack.c:106\n print_address_description linux/mm/kasan/report.c:377\n print_report+0xc4/0x620 linux/mm/kasan/report.c:488\n kasan_report+0xda/0x110 linux/mm/kasan/report.c:601\n kfree_skb_list_reason+0x47e/0x4c0 linux/net/core/skbuff.c:1183\n skb_release_data+0x5af/0x880 linux/net/core/skbuff.c:1026\n skb_release_all linux/net/core/skbuff.c:1094\n __kfree_skb linux/net/core/skbuff.c:1108\n kfree_skb_reason+0x12d/0x210 linux/net/core/skbuff.c:1144\n kfree_skb linux/./include/linux/skbuff.h:1244\n tipc_buf_append+0x425/0xb50 linux/net/tipc/msg.c:186\n tipc_link_input+0x224/0x7c0 linux/net/tipc/link.c:1324\n tipc_link_rcv+0x76e/0x2d70 linux/net/tipc/link.c:1824\n tipc_rcv+0x45f/0x10f0 linux/net/tipc/node.c:2159\n tipc_udp_recv+0x73b/0x8f0 linux/net/tipc/udp_media.c:390\n udp_queue_rcv_one_skb+0xad2/0x1850 linux/net/ipv4/udp.c:2108\n udp_queue_rcv_skb+0x131/0xb00 linux/net/ipv4/udp.c:2186\n udp_unicast_rcv_skb+0x165/0x3b0 linux/net/ipv4/udp.c:2346\n __udp4_lib_rcv+0x2594/0x3400 linux/net/ipv4/udp.c:2422\n ip_protocol_deliver_rcu+0x30c/0x4e0 linux/net/ipv4/ip_input.c:205\n ip_local_deliver_finish+0x2e4/0x520 linux/net/ipv4/ip_input.c:233\n NF_HOOK linux/./include/linux/netfilter.h:314\n NF_HOOK linux/./include/linux/netfilter.h:308\n ip_local_deliver+0x18e/0x1f0 linux/net/ipv4/ip_input.c:254\n dst_input linux/./include/net/dst.h:461\n ip_rcv_finish linux/net/ipv4/ip_input.c:449\n NF_HOOK linux/./include/linux/netfilter.h:314\n NF_HOOK linux/./include/linux/netfilter.h:308\n ip_rcv+0x2c5/0x5d0 linux/net/ipv4/ip_input.c:569\n __netif_receive_skb_one_core+0x199/0x1e0 linux/net/core/dev.c:5534\n __netif_receive_skb+0x1f/0x1c0 linux/net/core/dev.c:5648\n process_backlog+0x101/0x6b0 linux/net/core/dev.c:5976\n __napi_poll.constprop.0+0xba/0x550 linux/net/core/dev.c:6576\n napi_poll linux/net/core/dev.c:6645\n net_rx_action+0x95a/0xe90 linux/net/core/dev.c:6781\n __do_softirq+0x21f/0x8e7 linux/kernel/softirq.c:553\n do_softirq linux/kernel/softirq.c:454\n do_softirq+0xb2/0xf0 linux/kernel/softirq.c:441\n </IRQ>\n <TASK>\n __local_bh_enable_ip+0x100/0x120 linux/kernel/softirq.c:381\n local_bh_enable linux/./include/linux/bottom_half.h:33\n rcu_read_unlock_bh linux/./include/linux/rcupdate.h:851\n __dev_queue_xmit+0x871/0x3ee0 linux/net/core/dev.c:4378\n dev_queue_xmit linux/./include/linux/netdevice.h:3169\n neigh_hh_output linux/./include/net/neighbour.h:526\n neigh_output linux/./include/net/neighbour.h:540\n ip_finish_output2+0x169f/0x2550 linux/net/ipv4/ip_output.c:235\n __ip_finish_output linux/net/ipv4/ip_output.c:313\n __ip_finish_output+0x49e/0x950 linux/net/ipv4/ip_output.c:295\n ip_finish_output+0x31/0x310 linux/net/ipv4/ip_output.c:323\n NF_HOOK_COND linux/./include/linux/netfilter.h:303\n ip_output+0x13b/0x2a0 linux/net/ipv4/ip_output.c:433\n dst_output linux/./include/net/dst.h:451\n ip_local_out linux/net/ipv4/ip_output.c:129\n ip_send_skb+0x3e5/0x560 linux/net/ipv4/ip_output.c:1492\n udp_send_skb+0x73f/0x1530 linux/net/ipv4/udp.c:963\n udp_sendmsg+0x1a36/0x2b40 linux/net/ipv4/udp.c:1250\n inet_sendmsg+0x105/0x140 linux/net/ipv4/af_inet.c:850\n sock_sendmsg_nosec linux/net/socket.c:730\n __sock_sendmsg linux/net/socket.c:745\n __sys_sendto+0x42c/0x4e0 linux/net/socket.c:2191\n __do_sys_sendto linux/net/socket.c:2203\n __se_sys_sendto linux/net/socket.c:2199\n __x64_sys_sendto+0xe0/0x1c0 linux/net/socket.c:2199\n do_syscall_x64 linux/arch/x86/entry/common.c:52\n do_syscall_\n---truncated---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/tipc/msg.c"],"versions":[{"version":"1149557d64c97dc9adf3103347a1c0e8c06d3b89","lessThan":"e19ec8ab0e25bc4803d7cc91c84e84532e2781bd","status":"affected","versionType":"git"},{"version":"1149557d64c97dc9adf3103347a1c0e8c06d3b89","lessThan":"93bc2d6d16f2c3178736ba6b845b30475856dc40","status":"affected","versionType":"git"},{"version":"1149557d64c97dc9adf3103347a1c0e8c06d3b89","lessThan":"367766ff9e407f8a68409b7ce4dc4d5a72afeab1","status":"affected","versionType":"git"},{"version":"1149557d64c97dc9adf3103347a1c0e8c06d3b89","lessThan":"66116556076f0b96bc1aa9844008c743c8c67684","status":"affected","versionType":"git"},{"version":"1149557d64c97dc9adf3103347a1c0e8c06d3b89","lessThan":"21ea04aad8a0839b4ec27ef1691ca480620e8e14","status":"affected","versionType":"git"},{"version":"1149557d64c97dc9adf3103347a1c0e8c06d3b89","lessThan":"ffd4917c1edb3c3ff334fce3704fbe9c39f35682","status":"affected","versionType":"git"},{"version":"1149557d64c97dc9adf3103347a1c0e8c06d3b89","lessThan":"a0fbb26f8247e326a320e2cb4395bfb234332c90","status":"affected","versionType":"git"},{"version":"1149557d64c97dc9adf3103347a1c0e8c06d3b89","lessThan":"080cbb890286cd794f1ee788bbc5463e2deb7c2b","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/tipc/msg.c"],"versions":[{"version":"4.1","status":"affected"},{"version":"0","lessThan":"4.1","status":"unaffected","versionType":"semver"},{"version":"4.19.314","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.276","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.217","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.159","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.91","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.31","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.8.10","lessThanOrEqual":"6.8.*","status":"unaffected","versionType":"semver"},{"version":"6.9","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.1","versionEndExcluding":"4.19.314"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.1","versionEndExcluding":"5.4.276"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.1","versionEndExcluding":"5.10.217"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.1","versionEndExcluding":"5.15.159"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.1","versionEndExcluding":"6.1.91"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.1","versionEndExcluding":"6.6.31"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.1","versionEndExcluding":"6.8.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.1","versionEndExcluding":"6.9"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/e19ec8ab0e25bc4803d7cc91c84e84532e2781bd"},{"url":"https://git.kernel.org/stable/c/93bc2d6d16f2c3178736ba6b845b30475856dc40"},{"url":"https://git.kernel.org/stable/c/367766ff9e407f8a68409b7ce4dc4d5a72afeab1"},{"url":"https://git.kernel.org/stable/c/66116556076f0b96bc1aa9844008c743c8c67684"},{"url":"https://git.kernel.org/stable/c/21ea04aad8a0839b4ec27ef1691ca480620e8e14"},{"url":"https://git.kernel.org/stable/c/ffd4917c1edb3c3ff334fce3704fbe9c39f35682"},{"url":"https://git.kernel.org/stable/c/a0fbb26f8247e326a320e2cb4395bfb234332c90"},{"url":"https://git.kernel.org/stable/c/080cbb890286cd794f1ee788bbc5463e2deb7c2b"}],"title":"tipc: fix UAF in error path","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-416","lang":"en","description":"CWE-416 Use After Free"}]}],"affected":[{"vendor":"linux","product":"linux_kernel","cpes":["cpe:2.3:o:linux:linux_kernel:4.1:-:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"4.1","status":"affected"}]},{"vendor":"linux","product":"linux_kernel","cpes":["cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"1149557d64c9","status":"affected","lessThan":"e19ec8ab0e25","versionType":"custom"},{"version":"1149557d64c9","status":"affected","lessThan":"93bc2d6d16f2","versionType":"custom"},{"version":"1149557d64c9","status":"affected","lessThan":"367766ff9e40","versionType":"custom"},{"version":"1149557d64c9","status":"affected","lessThan":"66116556076f","versionType":"custom"},{"version":"1149557d64c9","status":"affected","lessThan":"21ea04aad8a0","versionType":"custom"},{"version":"1149557d64c9","status":"affected","lessThan":"ffd4917c1edb","versionType":"custom"},{"version":"1149557d64c9","status":"affected","lessThan":"a0fbb26f8247","versionType":"custom"},{"version":"1149557d64c9","status":"affected","lessThan":"080cbb890286","versionType":"custom"}]}],"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":8.1,"attackVector":"NETWORK","baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"HIGH","availabilityImpact":"HIGH","privilegesRequired":"NONE","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"timestamp":"2024-06-22T03:55:33.064938Z","id":"CVE-2024-36886","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-06-24T12:40:50.587Z"}},{"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/e19ec8ab0e25bc4803d7cc91c84e84532e2781bd","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/93bc2d6d16f2c3178736ba6b845b30475856dc40","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/367766ff9e407f8a68409b7ce4dc4d5a72afeab1","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/66116556076f0b96bc1aa9844008c743c8c67684","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/21ea04aad8a0839b4ec27ef1691ca480620e8e14","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/ffd4917c1edb3c3ff334fce3704fbe9c39f35682","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/a0fbb26f8247e326a320e2cb4395bfb234332c90","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/080cbb890286cd794f1ee788bbc5463e2deb7c2b","tags":["x_transferred"]},{"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html","tags":["x_transferred"]},{"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html","tags":["x_transferred"]},{"url":"https://security.netapp.com/advisory/ntap-20241018-0002/"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-10-18T13:07:39.609Z"}}]},"dataVersion":"5.2"}