{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-36979","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-05-30T15:25:07.082Z","datePublished":"2024-06-19T13:35:12.708Z","dateUpdated":"2025-05-04T09:13:15.821Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T09:13:15.821Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: mst: fix vlan use-after-free\n\nsyzbot reported a suspicious rcu usage[1] in bridge's mst code. While\nfixing it I noticed that nothing prevents a vlan to be freed while\nwalking the list from the same path (br forward delay timer). Fix the rcu\nusage and also make sure we are not accessing freed memory by making\nbr_mst_vlan_set_state use rcu read lock.\n\n[1]\n WARNING: suspicious RCU usage\n 6.9.0-rc6-syzkaller #0 Not tainted\n -----------------------------\n net/bridge/br_private.h:1599 suspicious rcu_dereference_protected() usage!\n ...\n stack backtrace:\n CPU: 1 PID: 8017 Comm: syz-executor.1 Not tainted 6.9.0-rc6-syzkaller #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\n Call Trace:\n  <IRQ>\n  __dump_stack lib/dump_stack.c:88 [inline]\n  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n  lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712\n  nbp_vlan_group net/bridge/br_private.h:1599 [inline]\n  br_mst_set_state+0x1ea/0x650 net/bridge/br_mst.c:105\n  br_set_state+0x28a/0x7b0 net/bridge/br_stp.c:47\n  br_forward_delay_timer_expired+0x176/0x440 net/bridge/br_stp_timer.c:88\n  call_timer_fn+0x18e/0x650 kernel/time/timer.c:1793\n  expire_timers kernel/time/timer.c:1844 [inline]\n  __run_timers kernel/time/timer.c:2418 [inline]\n  __run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2429\n  run_timer_base kernel/time/timer.c:2438 [inline]\n  run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2448\n  __do_softirq+0x2c6/0x980 kernel/softirq.c:554\n  invoke_softirq kernel/softirq.c:428 [inline]\n  __irq_exit_rcu+0xf2/0x1c0 kernel/softirq.c:633\n  irq_exit_rcu+0x9/0x30 kernel/softirq.c:645\n  instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]\n  sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043\n  </IRQ>\n  <TASK>\n asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702\n RIP: 0010:lock_acquire+0x264/0x550 kernel/locking/lockdep.c:5758\n Code: 2b 00 74 08 4c 89 f7 e8 ba d1 84 00 f6 44 24 61 02 0f 85 85 01 00 00 41 f7 c7 00 02 00 00 74 01 fb 48 c7 44 24 40 0e 36 e0 45 <4b> c7 44 25 00 00 00 00 00 43 c7 44 25 09 00 00 00 00 43 c7 44 25\n RSP: 0018:ffffc90013657100 EFLAGS: 00000206\n RAX: 0000000000000001 RBX: 1ffff920026cae2c RCX: 0000000000000001\n RDX: dffffc0000000000 RSI: ffffffff8bcaca00 RDI: ffffffff8c1eaa60\n RBP: ffffc90013657260 R08: ffffffff92efe507 R09: 1ffffffff25dfca0\n R10: dffffc0000000000 R11: fffffbfff25dfca1 R12: 1ffff920026cae28\n R13: dffffc0000000000 R14: ffffc90013657160 R15: 0000000000000246"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/bridge/br_mst.c"],"versions":[{"version":"ec7328b59176227216c461601c6bd0e922232a9b","lessThan":"8ca9a750fc711911ef616ceb627d07357b04545e","status":"affected","versionType":"git"},{"version":"ec7328b59176227216c461601c6bd0e922232a9b","lessThan":"4488617e5e995a09abe4d81add5fb165674edb59","status":"affected","versionType":"git"},{"version":"ec7328b59176227216c461601c6bd0e922232a9b","lessThan":"a2b01e65d9ba8af2bb086d3b7288ca53a07249ac","status":"affected","versionType":"git"},{"version":"ec7328b59176227216c461601c6bd0e922232a9b","lessThan":"e43dd2b1ec746e105b7db5f9ad6ef14685a615a4","status":"affected","versionType":"git"},{"version":"ec7328b59176227216c461601c6bd0e922232a9b","lessThan":"3a7c1661ae1383364cd6092d851f5e5da64d476b","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/bridge/br_mst.c"],"versions":[{"version":"5.18","status":"affected"},{"version":"0","lessThan":"5.18","status":"unaffected","versionType":"semver"},{"version":"6.1.93","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.33","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.8.12","lessThanOrEqual":"6.8.*","status":"unaffected","versionType":"semver"},{"version":"6.9.3","lessThanOrEqual":"6.9.*","status":"unaffected","versionType":"semver"},{"version":"6.10","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18","versionEndExcluding":"6.1.93"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18","versionEndExcluding":"6.6.33"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18","versionEndExcluding":"6.8.12"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18","versionEndExcluding":"6.9.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18","versionEndExcluding":"6.10"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/8ca9a750fc711911ef616ceb627d07357b04545e"},{"url":"https://git.kernel.org/stable/c/4488617e5e995a09abe4d81add5fb165674edb59"},{"url":"https://git.kernel.org/stable/c/a2b01e65d9ba8af2bb086d3b7288ca53a07249ac"},{"url":"https://git.kernel.org/stable/c/e43dd2b1ec746e105b7db5f9ad6ef14685a615a4"},{"url":"https://git.kernel.org/stable/c/3a7c1661ae1383364cd6092d851f5e5da64d476b"}],"title":"net: bridge: mst: fix vlan use-after-free","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-06-24T15:36:13.939816Z","id":"CVE-2024-36979","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-06-24T15:36:22.198Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T03:43:50.547Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/8ca9a750fc711911ef616ceb627d07357b04545e","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/4488617e5e995a09abe4d81add5fb165674edb59","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/a2b01e65d9ba8af2bb086d3b7288ca53a07249ac","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/e43dd2b1ec746e105b7db5f9ad6ef14685a615a4","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/3a7c1661ae1383364cd6092d851f5e5da64d476b","tags":["x_transferred"]}]}]}}