netfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu()
Summary
| CVE | CVE-2024-36286 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2024-06-21 11:15:10 UTC |
| Updated | 2026-05-12 12:16:48 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu() syzbot reported that nf_reinject() could be called without rcu_read_lock() : WARNING: suspicious RCU usage 6.9.0-rc7-syzkaller-02060-g5c1672705a1a #0 Not tainted net/netfilter/nfnetlink_queue.c:263 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 2 locks held by syz-executor.4/13427: #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline] #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_do_batch kernel/rcu/tree.c:2190 [inline] #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_core+0xa86/0x1830 kernel/rcu/tree.c:2471 #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline] #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: nfqnl_flush net/netfilter/nfnetlink_queue.c:405 [inline] #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: instance_destroy_rcu+0x30/0x220 net/netfilter/nfnetlink_queue.c:172 stack backtrace: CPU: 0 PID: 13427 Comm: syz-executor.4 Not tainted 6.9.0-rc7-syzkaller-02060-g5c1672705a1a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712 nf_reinject net/netfilter/nfnetlink_queue.c:323 [inline] nfqnl_reinject+0x6ec/0x1120 net/netfilter/nfnetlink_queue.c:397 nfqnl_flush net/netfilter/nfnetlink_queue.c:410 [inline] instance_destroy_rcu+0x1ae/0x220 net/netfilter/nfnetlink_queue.c:172 rcu_do_batch kernel/rcu/tree.c:2196 [inline] rcu_core+0xafd/0x1830 kernel/rcu/tree.c:2471 handle_softirqs+0x2d6/0x990 kernel/softirq.c:554 __do_softirq kernel/softirq.c:588 [inline] invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637 irq_exit_rcu+0x9/0x30 kernel/softirq.c:649 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043 </IRQ> <TASK> |
Risk And Classification
Primary CVSS: v3.1 5.5 MEDIUM from [email protected]
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Problem Types: NVD-CWE-noinfo
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
NoneAvailability
HighCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Linux | Linux Kernel | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected 9872bec773c2e8503fec480c1e8a0c732517e257 8658bd777cbfcb0c13df23d0ea120e70517761b9 git | Not specified |
| CNA | Linux | Linux | affected 9872bec773c2e8503fec480c1e8a0c732517e257 3989b817857f4890fab9379221a9d3f52bf5c256 git | Not specified |
| CNA | Linux | Linux | affected 9872bec773c2e8503fec480c1e8a0c732517e257 e01065b339e323b3dfa1be217fd89e9b3208b0ab git | Not specified |
| CNA | Linux | Linux | affected 9872bec773c2e8503fec480c1e8a0c732517e257 25ea5377e3d2921a0f96ae2551f5ab1b36825dd4 git | Not specified |
| CNA | Linux | Linux | affected 9872bec773c2e8503fec480c1e8a0c732517e257 68f40354a3851df46c27be96b84f11ae193e36c5 git | Not specified |
| CNA | Linux | Linux | affected 9872bec773c2e8503fec480c1e8a0c732517e257 8f365564af898819a523f1a8cf5c6ce053e9f718 git | Not specified |
| CNA | Linux | Linux | affected 9872bec773c2e8503fec480c1e8a0c732517e257 215df6490e208bfdd5b3012f5075e7f8736f3e7a git | Not specified |
| CNA | Linux | Linux | affected 9872bec773c2e8503fec480c1e8a0c732517e257 dc21c6cc3d6986d938efbf95de62473982c98dec git | Not specified |
| CNA | Linux | Linux | affected 2.6.25 | Not specified |
| CNA | Linux | Linux | unaffected 2.6.25 semver | Not specified |
| CNA | Linux | Linux | unaffected 4.19.316 4.19.* semver | Not specified |
| CNA | Linux | Linux | unaffected 5.4.278 5.4.* semver | Not specified |
| CNA | Linux | Linux | unaffected 5.10.219 5.10.* semver | Not specified |
| CNA | Linux | Linux | unaffected 5.15.161 5.15.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.1.93 6.1.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.33 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.9.4 6.9.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.10 * original_commit_for_fix | Not specified |
| ADP | Siemens | RUGGEDCOM RST2428P | affected V3.1 custom | Not specified |
| ADP | Siemens | SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 Family | unaffected * custom | Not specified |
| ADP | Siemens | SCALANCE XCM-/XRM-/XCH-/XRH-300 Family | affected V3.1 custom | Not specified |
| ADP | Siemens | SIMATIC S7-1500 TM MFP - GNU/Linux Subsystem | affected * custom | Not specified |
| ADP | Siemens | SIMATIC S7-1500 CPU 1518-4 PN/DP MFP | affected V3.1.0 V3.1.5 custom | Not specified |
| ADP | Siemens | SIMATIC S7-1500 CPU 1518-4 PN/DP MFP | affected V3.1.0 V3.1.5 custom | Not specified |
| ADP | Siemens | SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP | affected V3.1.0 V3.1.5 custom | Not specified |
| ADP | Siemens | SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP | affected V3.1.0 V3.1.5 custom | Not specified |
| ADP | Siemens | SIPLUS S7-1500 CPU 1518-4 PN/DP MFP | affected V3.1.0 V3.1.5 custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| cert-portal.siemens.com/productcert/html/ssa-398330.html | 0b142b55-0307-4c5a-b3c9-f314f3fb7c5e | cert-portal.siemens.com | |
| git.kernel.org/stable/c/25ea5377e3d2921a0f96ae2551f5ab1b36825dd4 | af854a3a-2127-422b-91ae-364da2661108 | git.kernel.org | Patch |
| git.kernel.org/stable/c/dc21c6cc3d6986d938efbf95de62473982c98dec | af854a3a-2127-422b-91ae-364da2661108 | git.kernel.org | Patch |
| git.kernel.org/stable/c/8658bd777cbfcb0c13df23d0ea120e70517761b9 | af854a3a-2127-422b-91ae-364da2661108 | git.kernel.org | Patch |
| cert-portal.siemens.com/productcert/html/ssa-265688.html | 0b142b55-0307-4c5a-b3c9-f314f3fb7c5e | cert-portal.siemens.com | |
| git.kernel.org/stable/c/68f40354a3851df46c27be96b84f11ae193e36c5 | af854a3a-2127-422b-91ae-364da2661108 | git.kernel.org | Patch |
| git.kernel.org/stable/c/215df6490e208bfdd5b3012f5075e7f8736f3e7a | af854a3a-2127-422b-91ae-364da2661108 | git.kernel.org | Patch |
| cert-portal.siemens.com/productcert/html/ssa-613116.html | 0b142b55-0307-4c5a-b3c9-f314f3fb7c5e | cert-portal.siemens.com | |
| git.kernel.org/stable/c/e01065b339e323b3dfa1be217fd89e9b3208b0ab | af854a3a-2127-422b-91ae-364da2661108 | git.kernel.org | Patch |
| git.kernel.org/stable/c/3989b817857f4890fab9379221a9d3f52bf5c256 | af854a3a-2127-422b-91ae-364da2661108 | git.kernel.org | Patch |
| git.kernel.org/stable/c/8f365564af898819a523f1a8cf5c6ce053e9f718 | af854a3a-2127-422b-91ae-364da2661108 | git.kernel.org | Patch |
| lists.debian.org/debian-lts-announce/2024/06/msg00020.html | af854a3a-2127-422b-91ae-364da2661108 | lists.debian.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.