CVE-2024-36904 (GCVE-0-2024-36904)
Vulnerability from cvelistv5 – Published: 2024-05-30 15:29 – Updated: 2026-05-12 11:54
VLAI
Title
tcp: Use refcount_inc_not_zero() in tcp_twsk_unique().
Summary
In the Linux kernel, the following vulnerability has been resolved:
tcp: Use refcount_inc_not_zero() in tcp_twsk_unique().
Anderson Nascimento reported a use-after-free splat in tcp_twsk_unique()
with nice analysis.
Since commit ec94c2696f0b ("tcp/dccp: avoid one atomic operation for
timewait hashdance"), inet_twsk_hashdance() sets TIME-WAIT socket's
sk_refcnt after putting it into ehash and releasing the bucket lock.
Thus, there is a small race window where other threads could try to
reuse the port during connect() and call sock_hold() in tcp_twsk_unique()
for the TIME-WAIT socket with zero refcnt.
If that happens, the refcnt taken by tcp_twsk_unique() is overwritten
and sock_put() will cause underflow, triggering a real use-after-free
somewhere else.
To avoid the use-after-free, we need to use refcount_inc_not_zero() in
tcp_twsk_unique() and give up on reusing the port if it returns false.
[0]:
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 0 PID: 1039313 at lib/refcount.c:25 refcount_warn_saturate+0xe5/0x110
CPU: 0 PID: 1039313 Comm: trigger Not tainted 6.8.6-200.fc39.x86_64 #1
Hardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.21805430.B64.2305221830 05/22/2023
RIP: 0010:refcount_warn_saturate+0xe5/0x110
Code: 42 8e ff 0f 0b c3 cc cc cc cc 80 3d aa 13 ea 01 00 0f 85 5e ff ff ff 48 c7 c7 f8 8e b7 82 c6 05 96 13 ea 01 01 e8 7b 42 8e ff <0f> 0b c3 cc cc cc cc 48 c7 c7 50 8f b7 82 c6 05 7a 13 ea 01 01 e8
RSP: 0018:ffffc90006b43b60 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff888009bb3ef0 RCX: 0000000000000027
RDX: ffff88807be218c8 RSI: 0000000000000001 RDI: ffff88807be218c0
RBP: 0000000000069d70 R08: 0000000000000000 R09: ffffc90006b439f0
R10: ffffc90006b439e8 R11: 0000000000000003 R12: ffff8880029ede84
R13: 0000000000004e20 R14: ffffffff84356dc0 R15: ffff888009bb3ef0
FS: 00007f62c10926c0(0000) GS:ffff88807be00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020ccb000 CR3: 000000004628c005 CR4: 0000000000f70ef0
PKRU: 55555554
Call Trace:
<TASK>
? refcount_warn_saturate+0xe5/0x110
? __warn+0x81/0x130
? refcount_warn_saturate+0xe5/0x110
? report_bug+0x171/0x1a0
? refcount_warn_saturate+0xe5/0x110
? handle_bug+0x3c/0x80
? exc_invalid_op+0x17/0x70
? asm_exc_invalid_op+0x1a/0x20
? refcount_warn_saturate+0xe5/0x110
tcp_twsk_unique+0x186/0x190
__inet_check_established+0x176/0x2d0
__inet_hash_connect+0x74/0x7d0
? __pfx___inet_check_established+0x10/0x10
tcp_v4_connect+0x278/0x530
__inet_stream_connect+0x10f/0x3d0
inet_stream_connect+0x3a/0x60
__sys_connect+0xa8/0xd0
__x64_sys_connect+0x18/0x20
do_syscall_64+0x83/0x170
entry_SYSCALL_64_after_hwframe+0x78/0x80
RIP: 0033:0x7f62c11a885d
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a3 45 0c 00 f7 d8 64 89 01 48
RSP: 002b:00007f62c1091e58 EFLAGS: 00000296 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 0000000020ccb004 RCX: 00007f62c11a885d
RDX: 0000000000000010 RSI: 0000000020ccb000 RDI: 0000000000000003
RBP: 00007f62c1091e90 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000296 R12: 00007f62c10926c0
R13: ffffffffffffff88 R14: 0000000000000000 R15: 00007ffe237885b0
</TASK>
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
14 references
Impacted products
9 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
ec94c2696f0bcd5ae92a553244e4ac30d2171a2d , < 84546cc1aeeb4df3e444b18a4293c9823f974be9
(git)
Affected: ec94c2696f0bcd5ae92a553244e4ac30d2171a2d , < 1796ca9c6f5bd50554214053af5f47d112818ee3 (git) Affected: ec94c2696f0bcd5ae92a553244e4ac30d2171a2d , < 1d9cf07810c30ef7948879567d10fd1f01121d34 (git) Affected: ec94c2696f0bcd5ae92a553244e4ac30d2171a2d , < 27b0284d8be182a81feb65581ab6a724dfd596e8 (git) Affected: ec94c2696f0bcd5ae92a553244e4ac30d2171a2d , < 13ed7cdf079686ccd3618335205700c03f6fb446 (git) Affected: ec94c2696f0bcd5ae92a553244e4ac30d2171a2d , < 6e48faad92be13166184d21506e4e54c79c13adc (git) Affected: ec94c2696f0bcd5ae92a553244e4ac30d2171a2d , < 517e32ea0a8c72202d0d8aa8df50a7cd3d6fdefc (git) Affected: ec94c2696f0bcd5ae92a553244e4ac30d2171a2d , < f2db7230f73a80dbb179deab78f88a7947f0ab7e (git) |
|
| Linux | Linux |
Affected:
4.16
Unaffected: 0 , < 4.16 (semver) Unaffected: 4.19.314 , ≤ 4.19.* (semver) Unaffected: 5.4.276 , ≤ 5.4.* (semver) Unaffected: 5.10.217 , ≤ 5.10.* (semver) Unaffected: 5.15.159 , ≤ 5.15.* (semver) Unaffected: 6.1.91 , ≤ 6.1.* (semver) Unaffected: 6.6.31 , ≤ 6.6.* (semver) Unaffected: 6.8.10 , ≤ 6.8.* (semver) Unaffected: 6.9 , ≤ * (original_commit_for_fix) |
|
| Siemens | RUGGEDCOM RST2428P |
Affected:
0 , < V3.1
(custom)
|
|
| Siemens | SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family |
Unaffected:
0 , < *
(custom)
|
|
| Siemens | SCALANCE XCM-/XRM-/XCH-/XRH-300 family |
Affected:
0 , < V3.1
(custom)
|
|
| Siemens | SIMATIC S7-1500 TM MFP - GNU/Linux subsystem |
Affected:
0 , < *
(custom)
|
|
| Siemens | SIMATIC S7-1500 CPU 1518-4 PN/DP MFP |
Affected:
V3.1.0 , < V3.1.5
(custom)
|
|
| Siemens | SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP |
Affected:
V3.1.0 , < V3.1.5
(custom)
|
|
| Siemens | SIPLUS S7-1500 CPU 1518-4 PN/DP MFP |
Affected:
V3.1.0 , < V3.1.5
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36904",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-12T19:20:22.181493Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-12T19:20:38.310Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-09-05T08:03:30.442Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/84546cc1aeeb4df3e444b18a4293c9823f974be9"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/1796ca9c6f5bd50554214053af5f47d112818ee3"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/1d9cf07810c30ef7948879567d10fd1f01121d34"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/27b0284d8be182a81feb65581ab6a724dfd596e8"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/13ed7cdf079686ccd3618335205700c03f6fb446"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/6e48faad92be13166184d21506e4e54c79c13adc"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/517e32ea0a8c72202d0d8aa8df50a7cd3d6fdefc"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/f2db7230f73a80dbb179deab78f88a7947f0ab7e"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240905-0004/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"defaultStatus": "unknown",
"product": "RUGGEDCOM RST2428P",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE XCM-/XRM-/XCH-/XRH-300 family",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 TM MFP - GNU/Linux subsystem",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.1.5",
"status": "affected",
"version": "V3.1.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.1.5",
"status": "affected",
"version": "V3.1.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.1.5",
"status": "affected",
"version": "V3.1.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.1.5",
"status": "affected",
"version": "V3.1.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIPLUS S7-1500 CPU 1518-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.1.5",
"status": "affected",
"version": "V3.1.0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T11:54:07.539Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-398330.html"
},
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
},
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-613116.html"
}
],
"x_adpType": "supplier"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_ipv4.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "84546cc1aeeb4df3e444b18a4293c9823f974be9",
"status": "affected",
"version": "ec94c2696f0bcd5ae92a553244e4ac30d2171a2d",
"versionType": "git"
},
{
"lessThan": "1796ca9c6f5bd50554214053af5f47d112818ee3",
"status": "affected",
"version": "ec94c2696f0bcd5ae92a553244e4ac30d2171a2d",
"versionType": "git"
},
{
"lessThan": "1d9cf07810c30ef7948879567d10fd1f01121d34",
"status": "affected",
"version": "ec94c2696f0bcd5ae92a553244e4ac30d2171a2d",
"versionType": "git"
},
{
"lessThan": "27b0284d8be182a81feb65581ab6a724dfd596e8",
"status": "affected",
"version": "ec94c2696f0bcd5ae92a553244e4ac30d2171a2d",
"versionType": "git"
},
{
"lessThan": "13ed7cdf079686ccd3618335205700c03f6fb446",
"status": "affected",
"version": "ec94c2696f0bcd5ae92a553244e4ac30d2171a2d",
"versionType": "git"
},
{
"lessThan": "6e48faad92be13166184d21506e4e54c79c13adc",
"status": "affected",
"version": "ec94c2696f0bcd5ae92a553244e4ac30d2171a2d",
"versionType": "git"
},
{
"lessThan": "517e32ea0a8c72202d0d8aa8df50a7cd3d6fdefc",
"status": "affected",
"version": "ec94c2696f0bcd5ae92a553244e4ac30d2171a2d",
"versionType": "git"
},
{
"lessThan": "f2db7230f73a80dbb179deab78f88a7947f0ab7e",
"status": "affected",
"version": "ec94c2696f0bcd5ae92a553244e4ac30d2171a2d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/tcp_ipv4.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.314",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.217",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"version": "6.8.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.9",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.314",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.276",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.217",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.159",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.91",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.31",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.8.10",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.9",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Use refcount_inc_not_zero() in tcp_twsk_unique().\n\nAnderson Nascimento reported a use-after-free splat in tcp_twsk_unique()\nwith nice analysis.\n\nSince commit ec94c2696f0b (\"tcp/dccp: avoid one atomic operation for\ntimewait hashdance\"), inet_twsk_hashdance() sets TIME-WAIT socket\u0027s\nsk_refcnt after putting it into ehash and releasing the bucket lock.\n\nThus, there is a small race window where other threads could try to\nreuse the port during connect() and call sock_hold() in tcp_twsk_unique()\nfor the TIME-WAIT socket with zero refcnt.\n\nIf that happens, the refcnt taken by tcp_twsk_unique() is overwritten\nand sock_put() will cause underflow, triggering a real use-after-free\nsomewhere else.\n\nTo avoid the use-after-free, we need to use refcount_inc_not_zero() in\ntcp_twsk_unique() and give up on reusing the port if it returns false.\n\n[0]:\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 0 PID: 1039313 at lib/refcount.c:25 refcount_warn_saturate+0xe5/0x110\nCPU: 0 PID: 1039313 Comm: trigger Not tainted 6.8.6-200.fc39.x86_64 #1\nHardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.21805430.B64.2305221830 05/22/2023\nRIP: 0010:refcount_warn_saturate+0xe5/0x110\nCode: 42 8e ff 0f 0b c3 cc cc cc cc 80 3d aa 13 ea 01 00 0f 85 5e ff ff ff 48 c7 c7 f8 8e b7 82 c6 05 96 13 ea 01 01 e8 7b 42 8e ff \u003c0f\u003e 0b c3 cc cc cc cc 48 c7 c7 50 8f b7 82 c6 05 7a 13 ea 01 01 e8\nRSP: 0018:ffffc90006b43b60 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: ffff888009bb3ef0 RCX: 0000000000000027\nRDX: ffff88807be218c8 RSI: 0000000000000001 RDI: ffff88807be218c0\nRBP: 0000000000069d70 R08: 0000000000000000 R09: ffffc90006b439f0\nR10: ffffc90006b439e8 R11: 0000000000000003 R12: ffff8880029ede84\nR13: 0000000000004e20 R14: ffffffff84356dc0 R15: ffff888009bb3ef0\nFS: 00007f62c10926c0(0000) GS:ffff88807be00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020ccb000 CR3: 000000004628c005 CR4: 0000000000f70ef0\nPKRU: 55555554\nCall Trace:\n \u003cTASK\u003e\n ? refcount_warn_saturate+0xe5/0x110\n ? __warn+0x81/0x130\n ? refcount_warn_saturate+0xe5/0x110\n ? report_bug+0x171/0x1a0\n ? refcount_warn_saturate+0xe5/0x110\n ? handle_bug+0x3c/0x80\n ? exc_invalid_op+0x17/0x70\n ? asm_exc_invalid_op+0x1a/0x20\n ? refcount_warn_saturate+0xe5/0x110\n tcp_twsk_unique+0x186/0x190\n __inet_check_established+0x176/0x2d0\n __inet_hash_connect+0x74/0x7d0\n ? __pfx___inet_check_established+0x10/0x10\n tcp_v4_connect+0x278/0x530\n __inet_stream_connect+0x10f/0x3d0\n inet_stream_connect+0x3a/0x60\n __sys_connect+0xa8/0xd0\n __x64_sys_connect+0x18/0x20\n do_syscall_64+0x83/0x170\n entry_SYSCALL_64_after_hwframe+0x78/0x80\nRIP: 0033:0x7f62c11a885d\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d a3 45 0c 00 f7 d8 64 89 01 48\nRSP: 002b:00007f62c1091e58 EFLAGS: 00000296 ORIG_RAX: 000000000000002a\nRAX: ffffffffffffffda RBX: 0000000020ccb004 RCX: 00007f62c11a885d\nRDX: 0000000000000010 RSI: 0000000020ccb000 RDI: 0000000000000003\nRBP: 00007f62c1091e90 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000296 R12: 00007f62c10926c0\nR13: ffffffffffffff88 R14: 0000000000000000 R15: 00007ffe237885b0\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T20:16:44.686Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/84546cc1aeeb4df3e444b18a4293c9823f974be9"
},
{
"url": "https://git.kernel.org/stable/c/1796ca9c6f5bd50554214053af5f47d112818ee3"
},
{
"url": "https://git.kernel.org/stable/c/1d9cf07810c30ef7948879567d10fd1f01121d34"
},
{
"url": "https://git.kernel.org/stable/c/27b0284d8be182a81feb65581ab6a724dfd596e8"
},
{
"url": "https://git.kernel.org/stable/c/13ed7cdf079686ccd3618335205700c03f6fb446"
},
{
"url": "https://git.kernel.org/stable/c/6e48faad92be13166184d21506e4e54c79c13adc"
},
{
"url": "https://git.kernel.org/stable/c/517e32ea0a8c72202d0d8aa8df50a7cd3d6fdefc"
},
{
"url": "https://git.kernel.org/stable/c/f2db7230f73a80dbb179deab78f88a7947f0ab7e"
}
],
"title": "tcp: Use refcount_inc_not_zero() in tcp_twsk_unique().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-36904",
"datePublished": "2024-05-30T15:29:05.457Z",
"dateReserved": "2024-05-30T15:25:07.067Z",
"dateUpdated": "2026-05-12T11:54:07.539Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2024-36904",
"date": "2026-06-29",
"epss": "0.00614",
"percentile": "0.44921"
},
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntcp: Use refcount_inc_not_zero() in tcp_twsk_unique().\\n\\nAnderson Nascimento reported a use-after-free splat in tcp_twsk_unique()\\nwith nice analysis.\\n\\nSince commit ec94c2696f0b (\\\"tcp/dccp: avoid one atomic operation for\\ntimewait hashdance\\\"), inet_twsk_hashdance() sets TIME-WAIT socket\u0027s\\nsk_refcnt after putting it into ehash and releasing the bucket lock.\\n\\nThus, there is a small race window where other threads could try to\\nreuse the port during connect() and call sock_hold() in tcp_twsk_unique()\\nfor the TIME-WAIT socket with zero refcnt.\\n\\nIf that happens, the refcnt taken by tcp_twsk_unique() is overwritten\\nand sock_put() will cause underflow, triggering a real use-after-free\\nsomewhere else.\\n\\nTo avoid the use-after-free, we need to use refcount_inc_not_zero() in\\ntcp_twsk_unique() and give up on reusing the port if it returns false.\\n\\n[0]:\\nrefcount_t: addition on 0; use-after-free.\\nWARNING: CPU: 0 PID: 1039313 at lib/refcount.c:25 refcount_warn_saturate+0xe5/0x110\\nCPU: 0 PID: 1039313 Comm: trigger Not tainted 6.8.6-200.fc39.x86_64 #1\\nHardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.21805430.B64.2305221830 05/22/2023\\nRIP: 0010:refcount_warn_saturate+0xe5/0x110\\nCode: 42 8e ff 0f 0b c3 cc cc cc cc 80 3d aa 13 ea 01 00 0f 85 5e ff ff ff 48 c7 c7 f8 8e b7 82 c6 05 96 13 ea 01 01 e8 7b 42 8e ff \u003c0f\u003e 0b c3 cc cc cc cc 48 c7 c7 50 8f b7 82 c6 05 7a 13 ea 01 01 e8\\nRSP: 0018:ffffc90006b43b60 EFLAGS: 00010282\\nRAX: 0000000000000000 RBX: ffff888009bb3ef0 RCX: 0000000000000027\\nRDX: ffff88807be218c8 RSI: 0000000000000001 RDI: ffff88807be218c0\\nRBP: 0000000000069d70 R08: 0000000000000000 R09: ffffc90006b439f0\\nR10: ffffc90006b439e8 R11: 0000000000000003 R12: ffff8880029ede84\\nR13: 0000000000004e20 R14: ffffffff84356dc0 R15: ffff888009bb3ef0\\nFS: 00007f62c10926c0(0000) GS:ffff88807be00000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 0000000020ccb000 CR3: 000000004628c005 CR4: 0000000000f70ef0\\nPKRU: 55555554\\nCall Trace:\\n \u003cTASK\u003e\\n ? refcount_warn_saturate+0xe5/0x110\\n ? __warn+0x81/0x130\\n ? refcount_warn_saturate+0xe5/0x110\\n ? report_bug+0x171/0x1a0\\n ? refcount_warn_saturate+0xe5/0x110\\n ? handle_bug+0x3c/0x80\\n ? exc_invalid_op+0x17/0x70\\n ? asm_exc_invalid_op+0x1a/0x20\\n ? refcount_warn_saturate+0xe5/0x110\\n tcp_twsk_unique+0x186/0x190\\n __inet_check_established+0x176/0x2d0\\n __inet_hash_connect+0x74/0x7d0\\n ? __pfx___inet_check_established+0x10/0x10\\n tcp_v4_connect+0x278/0x530\\n __inet_stream_connect+0x10f/0x3d0\\n inet_stream_connect+0x3a/0x60\\n __sys_connect+0xa8/0xd0\\n __x64_sys_connect+0x18/0x20\\n do_syscall_64+0x83/0x170\\n entry_SYSCALL_64_after_hwframe+0x78/0x80\\nRIP: 0033:0x7f62c11a885d\\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d a3 45 0c 00 f7 d8 64 89 01 48\\nRSP: 002b:00007f62c1091e58 EFLAGS: 00000296 ORIG_RAX: 000000000000002a\\nRAX: ffffffffffffffda RBX: 0000000020ccb004 RCX: 00007f62c11a885d\\nRDX: 0000000000000010 RSI: 0000000020ccb000 RDI: 0000000000000003\\nRBP: 00007f62c1091e90 R08: 0000000000000000 R09: 0000000000000000\\nR10: 0000000000000000 R11: 0000000000000296 R12: 00007f62c10926c0\\nR13: ffffffffffffff88 R14: 0000000000000000 R15: 00007ffe237885b0\\n \u003c/TASK\u003e\"}, {\"lang\": \"es\", \"value\": \"En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: tcp: utilice refcount_inc_not_zero() en tcp_twsk_unique(). Anderson Nascimento inform\\u00f3 sobre un s\\u00edmbolo de use after free en tcp_twsk_unique() con un buen an\\u00e1lisis. Desde el commit ec94c2696f0b (\\\"tcp/dccp: evitar una operaci\\u00f3n at\\u00f3mica para timewait hashdance\\\"), inet_twsk_hashdance() establece el sk_refcnt del socket TIME-WAIT despu\\u00e9s de ponerlo en ehash y liberar el bloqueo del dep\\u00f3sito. Por lo tanto, hay una peque\\u00f1a ventana de ejecuci\\u00f3n donde otros subprocesos podr\\u00edan intentar reutilizar el puerto durante connect() y llamar a sock_hold() en tcp_twsk_unique() para el socket TIME-WAIT con cero refcnt. Si eso sucede, el refcnt tomado por tcp_twsk_unique() se sobrescribe y sock_put() provocar\\u00e1 un desbordamiento insuficiente, lo que desencadenar\\u00e1 un use after free real en otro lugar. Para evitar el use after free, debemos usar refcount_inc_not_zero() en tcp_twsk_unique() y renunciar a reutilizar el puerto si devuelve falso. [0]: refcount_t: suma en 0; use after free. ADVERTENCIA: CPU: 0 PID: 1039313 en lib/refcount.c:25 refcount_warn_saturate+0xe5/0x110 CPU: 0 PID: 1039313 Comm: disparador No contaminado 6.8.6-200.fc39.x86_64 #1 Nombre de hardware: VMware, Inc. Plataforma de referencia de escritorio VMware20,1/440BX, BIOS VMW201.00V.21805430.B64.2305221830 22/05/2023 RIP: 0010:refcount_warn_saturate+0xe5/0x110 C\\u00f3digo: 42 8e ff 0f 0b c3 cc cc cc 80 3d aa 13 cada uno 01 00 0f 85 5e ff ff 48 c7 c7 f8 8e b7 82 c6 05 96 13 ea 01 01 e8 7b 42 8e ff \u0026lt;0f\u0026gt; 0b c3 cc cc cc cc 48 c7 c7 50 8f b7 82 c6 05 7a 13 ea 0 1 e8 RSP: 0018:ffffc90006b43b60 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff888009bb3ef0 RCX: 00000000000000027 RDX: ffff88807be218c8 RSI: 00000000001 RDI: ffff88807be218c0 RBP: 0000000000069d70 R08: 0000000000000000 R09: ffffc90006b439f0 R10: ffffc90006b439e8 R11: 000000000000 0003 R12: ffff8880029ede84 R13: 0000000000004e20 R14: ffffffff84356dc0 R15: ffff888009bb3ef0 FS: 00007f62c10926c0(0000) GS:ffff88807be00000(0000) knlGS:00000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020ccb000 CR3: 000000004628c005 CR4: 0000000000f70ef0 PKRU: 55555554 Seguimiento de llamadas: ? refcount_warn_saturate+0xe5/0x110? __advertir+0x81/0x130 ? refcount_warn_saturate+0xe5/0x110? report_bug+0x171/0x1a0? refcount_warn_saturate+0xe5/0x110? handle_bug+0x3c/0x80? exc_invalid_op+0x17/0x70? asm_exc_invalid_op+0x1a/0x20? refcount_warn_saturate+0xe5/0x110 tcp_twsk_unique+0x186/0x190 __inet_check_establecido+0x176/0x2d0 __inet_hash_connect+0x74/0x7d0 ? __pfx___inet_check_establecido+0x10/0x10 tcp_v4_connect+0x278/0x530 __inet_stream_connect+0x10f/0x3d0 inet_stream_connect+0x3a/0x60 __sys_connect+0xa8/0xd0 __x64_sys_connect+0x18/0x20 _64+0x83/0x170 entrada_SYSCALL_64_after_hwframe+0x78/0x80 RIP: 0033:0x7f62c11a885d C\\u00f3digo: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u0026lt;48\u0026gt; 3d 01 f0 ff 73 01 c3 48 8b 0d a3 45 0c 00 f7 d8 64 89 01 48 RSP: 002b:00007f62c1091e58 EFLAGS: 00000296 ORIG_RAX: 0000000000000002a RAX: ffffffffffffffda RBX: 20ccb004 RCX: 00007f62c11a885d RDX: 00000000000000010 RSI: 0000000020ccb000 RDI: 0000000000000003 RBP: 00007f62c1091e90 R08: 0000000000000 0000R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000296 R12: 00007f62c10926c0 R13: ffffffffffffff88 R14: 0000000000000000 R15: 07ffe237885b0 \"}]",
"id": "CVE-2024-36904",
"lastModified": "2024-11-21T09:22:46.773",
"published": "2024-05-30T16:15:13.947",
"references": "[{\"url\": \"https://git.kernel.org/stable/c/13ed7cdf079686ccd3618335205700c03f6fb446\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/1796ca9c6f5bd50554214053af5f47d112818ee3\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/1d9cf07810c30ef7948879567d10fd1f01121d34\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/27b0284d8be182a81feb65581ab6a724dfd596e8\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/517e32ea0a8c72202d0d8aa8df50a7cd3d6fdefc\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/6e48faad92be13166184d21506e4e54c79c13adc\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/84546cc1aeeb4df3e444b18a4293c9823f974be9\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/f2db7230f73a80dbb179deab78f88a7947f0ab7e\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/13ed7cdf079686ccd3618335205700c03f6fb446\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/1796ca9c6f5bd50554214053af5f47d112818ee3\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/1d9cf07810c30ef7948879567d10fd1f01121d34\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/27b0284d8be182a81feb65581ab6a724dfd596e8\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/517e32ea0a8c72202d0d8aa8df50a7cd3d6fdefc\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/6e48faad92be13166184d21506e4e54c79c13adc\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/84546cc1aeeb4df3e444b18a4293c9823f974be9\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/f2db7230f73a80dbb179deab78f88a7947f0ab7e\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240905-0004/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"vulnStatus": "Awaiting Analysis"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-36904\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-30T16:15:13.947\",\"lastModified\":\"2026-06-17T07:37:19.397\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntcp: Use refcount_inc_not_zero() in tcp_twsk_unique().\\n\\nAnderson Nascimento reported a use-after-free splat in tcp_twsk_unique()\\nwith nice analysis.\\n\\nSince commit ec94c2696f0b (\\\"tcp/dccp: avoid one atomic operation for\\ntimewait hashdance\\\"), inet_twsk_hashdance() sets TIME-WAIT socket\u0027s\\nsk_refcnt after putting it into ehash and releasing the bucket lock.\\n\\nThus, there is a small race window where other threads could try to\\nreuse the port during connect() and call sock_hold() in tcp_twsk_unique()\\nfor the TIME-WAIT socket with zero refcnt.\\n\\nIf that happens, the refcnt taken by tcp_twsk_unique() is overwritten\\nand sock_put() will cause underflow, triggering a real use-after-free\\nsomewhere else.\\n\\nTo avoid the use-after-free, we need to use refcount_inc_not_zero() in\\ntcp_twsk_unique() and give up on reusing the port if it returns false.\\n\\n[0]:\\nrefcount_t: addition on 0; use-after-free.\\nWARNING: CPU: 0 PID: 1039313 at lib/refcount.c:25 refcount_warn_saturate+0xe5/0x110\\nCPU: 0 PID: 1039313 Comm: trigger Not tainted 6.8.6-200.fc39.x86_64 #1\\nHardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.21805430.B64.2305221830 05/22/2023\\nRIP: 0010:refcount_warn_saturate+0xe5/0x110\\nCode: 42 8e ff 0f 0b c3 cc cc cc cc 80 3d aa 13 ea 01 00 0f 85 5e ff ff ff 48 c7 c7 f8 8e b7 82 c6 05 96 13 ea 01 01 e8 7b 42 8e ff \u003c0f\u003e 0b c3 cc cc cc cc 48 c7 c7 50 8f b7 82 c6 05 7a 13 ea 01 01 e8\\nRSP: 0018:ffffc90006b43b60 EFLAGS: 00010282\\nRAX: 0000000000000000 RBX: ffff888009bb3ef0 RCX: 0000000000000027\\nRDX: ffff88807be218c8 RSI: 0000000000000001 RDI: ffff88807be218c0\\nRBP: 0000000000069d70 R08: 0000000000000000 R09: ffffc90006b439f0\\nR10: ffffc90006b439e8 R11: 0000000000000003 R12: ffff8880029ede84\\nR13: 0000000000004e20 R14: ffffffff84356dc0 R15: ffff888009bb3ef0\\nFS: 00007f62c10926c0(0000) GS:ffff88807be00000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 0000000020ccb000 CR3: 000000004628c005 CR4: 0000000000f70ef0\\nPKRU: 55555554\\nCall Trace:\\n \u003cTASK\u003e\\n ? refcount_warn_saturate+0xe5/0x110\\n ? __warn+0x81/0x130\\n ? refcount_warn_saturate+0xe5/0x110\\n ? report_bug+0x171/0x1a0\\n ? refcount_warn_saturate+0xe5/0x110\\n ? handle_bug+0x3c/0x80\\n ? exc_invalid_op+0x17/0x70\\n ? asm_exc_invalid_op+0x1a/0x20\\n ? refcount_warn_saturate+0xe5/0x110\\n tcp_twsk_unique+0x186/0x190\\n __inet_check_established+0x176/0x2d0\\n __inet_hash_connect+0x74/0x7d0\\n ? __pfx___inet_check_established+0x10/0x10\\n tcp_v4_connect+0x278/0x530\\n __inet_stream_connect+0x10f/0x3d0\\n inet_stream_connect+0x3a/0x60\\n __sys_connect+0xa8/0xd0\\n __x64_sys_connect+0x18/0x20\\n do_syscall_64+0x83/0x170\\n entry_SYSCALL_64_after_hwframe+0x78/0x80\\nRIP: 0033:0x7f62c11a885d\\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d a3 45 0c 00 f7 d8 64 89 01 48\\nRSP: 002b:00007f62c1091e58 EFLAGS: 00000296 ORIG_RAX: 000000000000002a\\nRAX: ffffffffffffffda RBX: 0000000020ccb004 RCX: 00007f62c11a885d\\nRDX: 0000000000000010 RSI: 0000000020ccb000 RDI: 0000000000000003\\nRBP: 00007f62c1091e90 R08: 0000000000000000 R09: 0000000000000000\\nR10: 0000000000000000 R11: 0000000000000296 R12: 00007f62c10926c0\\nR13: ffffffffffffff88 R14: 0000000000000000 R15: 00007ffe237885b0\\n \u003c/TASK\u003e\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: tcp: utilice refcount_inc_not_zero() en tcp_twsk_unique(). Anderson Nascimento inform\u00f3 sobre un s\u00edmbolo de use after free en tcp_twsk_unique() con un buen an\u00e1lisis. Desde el commit ec94c2696f0b (\\\"tcp/dccp: evitar una operaci\u00f3n at\u00f3mica para timewait hashdance\\\"), inet_twsk_hashdance() establece el sk_refcnt del socket TIME-WAIT despu\u00e9s de ponerlo en ehash y liberar el bloqueo del dep\u00f3sito. Por lo tanto, hay una peque\u00f1a ventana de ejecuci\u00f3n donde otros subprocesos podr\u00edan intentar reutilizar el puerto durante connect() y llamar a sock_hold() en tcp_twsk_unique() para el socket TIME-WAIT con cero refcnt. Si eso sucede, el refcnt tomado por tcp_twsk_unique() se sobrescribe y sock_put() provocar\u00e1 un desbordamiento insuficiente, lo que desencadenar\u00e1 un use after free real en otro lugar. Para evitar el use after free, debemos usar refcount_inc_not_zero() en tcp_twsk_unique() y renunciar a reutilizar el puerto si devuelve falso. [0]: refcount_t: suma en 0; use after free. ADVERTENCIA: CPU: 0 PID: 1039313 en lib/refcount.c:25 refcount_warn_saturate+0xe5/0x110 CPU: 0 PID: 1039313 Comm: disparador No contaminado 6.8.6-200.fc39.x86_64 #1 Nombre de hardware: VMware, Inc. Plataforma de referencia de escritorio VMware20,1/440BX, BIOS VMW201.00V.21805430.B64.2305221830 22/05/2023 RIP: 0010:refcount_warn_saturate+0xe5/0x110 C\u00f3digo: 42 8e ff 0f 0b c3 cc cc cc 80 3d aa 13 cada uno 01 00 0f 85 5e ff ff 48 c7 c7 f8 8e b7 82 c6 05 96 13 ea 01 01 e8 7b 42 8e ff \u0026lt;0f\u0026gt; 0b c3 cc cc cc cc 48 c7 c7 50 8f b7 82 c6 05 7a 13 ea 0 1 e8 RSP: 0018:ffffc90006b43b60 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff888009bb3ef0 RCX: 00000000000000027 RDX: ffff88807be218c8 RSI: 00000000001 RDI: ffff88807be218c0 RBP: 0000000000069d70 R08: 0000000000000000 R09: ffffc90006b439f0 R10: ffffc90006b439e8 R11: 000000000000 0003 R12: ffff8880029ede84 R13: 0000000000004e20 R14: ffffffff84356dc0 R15: ffff888009bb3ef0 FS: 00007f62c10926c0(0000) GS:ffff88807be00000(0000) knlGS:00000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020ccb000 CR3: 000000004628c005 CR4: 0000000000f70ef0 PKRU: 55555554 Seguimiento de llamadas: ? refcount_warn_saturate+0xe5/0x110? __advertir+0x81/0x130 ? refcount_warn_saturate+0xe5/0x110? report_bug+0x171/0x1a0? refcount_warn_saturate+0xe5/0x110? handle_bug+0x3c/0x80? exc_invalid_op+0x17/0x70? asm_exc_invalid_op+0x1a/0x20? refcount_warn_saturate+0xe5/0x110 tcp_twsk_unique+0x186/0x190 __inet_check_establecido+0x176/0x2d0 __inet_hash_connect+0x74/0x7d0 ? __pfx___inet_check_establecido+0x10/0x10 tcp_v4_connect+0x278/0x530 __inet_stream_connect+0x10f/0x3d0 inet_stream_connect+0x3a/0x60 __sys_connect+0xa8/0xd0 __x64_sys_connect+0x18/0x20 _64+0x83/0x170 entrada_SYSCALL_64_after_hwframe+0x78/0x80 RIP: 0033:0x7f62c11a885d C\u00f3digo: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u0026lt;48\u0026gt; 3d 01 f0 ff 73 01 c3 48 8b 0d a3 45 0c 00 f7 d8 64 89 01 48 RSP: 002b:00007f62c1091e58 EFLAGS: 00000296 ORIG_RAX: 0000000000000002a RAX: ffffffffffffffda RBX: 20ccb004 RCX: 00007f62c11a885d RDX: 00000000000000010 RSI: 0000000020ccb000 RDI: 0000000000000003 RBP: 00007f62c1091e90 R08: 0000000000000 0000R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000296 R12: 00007f62c10926c0 R13: ffffffffffffff88 R14: 0000000000000000 R15: 07ffe237885b0 \"}],\"affected\":[{\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"affectedData\":[{\"vendor\":\"Linux\",\"product\":\"Linux\",\"defaultStatus\":\"unaffected\",\"programFiles\":[\"net/ipv4/tcp_ipv4.c\"],\"repo\":\"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\",\"versions\":[{\"version\":\"ec94c2696f0bcd5ae92a553244e4ac30d2171a2d\",\"lessThan\":\"84546cc1aeeb4df3e444b18a4293c9823f974be9\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"ec94c2696f0bcd5ae92a553244e4ac30d2171a2d\",\"lessThan\":\"1796ca9c6f5bd50554214053af5f47d112818ee3\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"ec94c2696f0bcd5ae92a553244e4ac30d2171a2d\",\"lessThan\":\"1d9cf07810c30ef7948879567d10fd1f01121d34\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"ec94c2696f0bcd5ae92a553244e4ac30d2171a2d\",\"lessThan\":\"27b0284d8be182a81feb65581ab6a724dfd596e8\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"ec94c2696f0bcd5ae92a553244e4ac30d2171a2d\",\"lessThan\":\"13ed7cdf079686ccd3618335205700c03f6fb446\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"ec94c2696f0bcd5ae92a553244e4ac30d2171a2d\",\"lessThan\":\"6e48faad92be13166184d21506e4e54c79c13adc\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"ec94c2696f0bcd5ae92a553244e4ac30d2171a2d\",\"lessThan\":\"517e32ea0a8c72202d0d8aa8df50a7cd3d6fdefc\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"ec94c2696f0bcd5ae92a553244e4ac30d2171a2d\",\"lessThan\":\"f2db7230f73a80dbb179deab78f88a7947f0ab7e\",\"versionType\":\"git\",\"status\":\"affected\"}]},{\"vendor\":\"Linux\",\"product\":\"Linux\",\"defaultStatus\":\"affected\",\"programFiles\":[\"net/ipv4/tcp_ipv4.c\"],\"repo\":\"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\",\"versions\":[{\"version\":\"4.16\",\"status\":\"affected\"},{\"version\":\"0\",\"lessThan\":\"4.16\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"4.19.314\",\"lessThanOrEqual\":\"4.19.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"5.4.276\",\"lessThanOrEqual\":\"5.4.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"5.10.217\",\"lessThanOrEqual\":\"5.10.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"5.15.159\",\"lessThanOrEqual\":\"5.15.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.1.91\",\"lessThanOrEqual\":\"6.1.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.6.31\",\"lessThanOrEqual\":\"6.6.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.8.10\",\"lessThanOrEqual\":\"6.8.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.9\",\"lessThanOrEqual\":\"*\",\"versionType\":\"original_commit_for_fix\",\"status\":\"unaffected\"}]}]},{\"source\":\"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e\",\"affectedData\":[{\"vendor\":\"Siemens\",\"product\":\"RUGGEDCOM RST2428P\",\"defaultStatus\":\"unknown\",\"versions\":[{\"version\":\"0\",\"lessThan\":\"V3.1\",\"versionType\":\"custom\",\"status\":\"affected\"}]},{\"vendor\":\"Siemens\",\"product\":\"SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family\",\"defaultStatus\":\"unknown\",\"versions\":[{\"version\":\"0\",\"lessThan\":\"*\",\"versionType\":\"custom\",\"status\":\"unaffected\"}]},{\"vendor\":\"Siemens\",\"product\":\"SCALANCE XCM-/XRM-/XCH-/XRH-300 family\",\"defaultStatus\":\"unknown\",\"versions\":[{\"version\":\"0\",\"lessThan\":\"V3.1\",\"versionType\":\"custom\",\"status\":\"affected\"}]},{\"vendor\":\"Siemens\",\"product\":\"SIMATIC S7-1500 TM MFP - GNU/Linux subsystem\",\"defaultStatus\":\"unknown\",\"versions\":[{\"version\":\"0\",\"lessThan\":\"*\",\"versionType\":\"custom\",\"status\":\"affected\"}]},{\"vendor\":\"Siemens\",\"product\":\"SIMATIC S7-1500 CPU 1518-4 PN/DP MFP\",\"defaultStatus\":\"unknown\",\"versions\":[{\"version\":\"V3.1.0\",\"lessThan\":\"V3.1.5\",\"versionType\":\"custom\",\"status\":\"affected\"}]},{\"vendor\":\"Siemens\",\"product\":\"SIMATIC S7-1500 CPU 1518-4 PN/DP MFP\",\"defaultStatus\":\"unknown\",\"versions\":[{\"version\":\"V3.1.0\",\"lessThan\":\"V3.1.5\",\"versionType\":\"custom\",\"status\":\"affected\"}]},{\"vendor\":\"Siemens\",\"product\":\"SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP\",\"defaultStatus\":\"unknown\",\"versions\":[{\"version\":\"V3.1.0\",\"lessThan\":\"V3.1.5\",\"versionType\":\"custom\",\"status\":\"affected\"}]},{\"vendor\":\"Siemens\",\"product\":\"SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP\",\"defaultStatus\":\"unknown\",\"versions\":[{\"version\":\"V3.1.0\",\"lessThan\":\"V3.1.5\",\"versionType\":\"custom\",\"status\":\"affected\"}]},{\"vendor\":\"Siemens\",\"product\":\"SIPLUS S7-1500 CPU 1518-4 PN/DP MFP\",\"defaultStatus\":\"unknown\",\"versions\":[{\"version\":\"V3.1.0\",\"lessThan\":\"V3.1.5\",\"versionType\":\"custom\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2024-06-12T19:20:22.181493Z\",\"id\":\"CVE-2024-36904\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.16\",\"versionEndExcluding\":\"4.19.314\",\"matchCriteriaId\":\"3A100E6D-9F5E-4E50-8118-5136BA000396\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.20\",\"versionEndExcluding\":\"5.4.276\",\"matchCriteriaId\":\"126C6EEC-8874-4233-AE09-634924FCDDF4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.5\",\"versionEndExcluding\":\"5.10.217\",\"matchCriteriaId\":\"AC67C71C-2044-40BA-B590-61E562F69F89\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.15.159\",\"matchCriteriaId\":\"F16678CD-F7C6-4BF6-ABA8-E7600857197B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"6.1.91\",\"matchCriteriaId\":\"4F8C886C-75AA-469B-A6A9-12BF1A29C0D5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.31\",\"matchCriteriaId\":\"CDDB1F69-36AC-41C1-9192-E7CCEF5FFC00\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.8.10\",\"matchCriteriaId\":\"6A6B920C-8D8F-4130-86B4-AD334F4CF2E3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.9:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"22BEDD49-2C6D-402D-9DBF-6646F6ECD10B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.9:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"DF73CB2A-DFFD-46FB-9BFE-AA394F27EA37\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.9:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"52048DDA-FC5A-4363-95A0-A6357B4D7F8C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.9:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"A06B2CCF-3F43-4FA9-8773-C83C3F5764B2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.9:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"F850DCEC-E08B-4317-A33B-D2DCF39F601B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.9:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"91326417-E981-482E-A5A3-28BC1327521B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.9:rc7:*:*:*:*:*:*\",\"matchCriteriaId\":\"DAECDCD8-F556-4606-8D7B-5C6D47A501F2\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/13ed7cdf079686ccd3618335205700c03f6fb446\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/1796ca9c6f5bd50554214053af5f47d112818ee3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/1d9cf07810c30ef7948879567d10fd1f01121d34\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/27b0284d8be182a81feb65581ab6a724dfd596e8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/517e32ea0a8c72202d0d8aa8df50a7cd3d6fdefc\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/6e48faad92be13166184d21506e4e54c79c13adc\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/84546cc1aeeb4df3e444b18a4293c9823f974be9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/f2db7230f73a80dbb179deab78f88a7947f0ab7e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/13ed7cdf079686ccd3618335205700c03f6fb446\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/1796ca9c6f5bd50554214053af5f47d112818ee3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/1d9cf07810c30ef7948879567d10fd1f01121d34\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/27b0284d8be182a81feb65581ab6a724dfd596e8\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/517e32ea0a8c72202d0d8aa8df50a7cd3d6fdefc\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/6e48faad92be13166184d21506e4e54c79c13adc\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/84546cc1aeeb4df3e444b18a4293c9823f974be9\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/f2db7230f73a80dbb179deab78f88a7947f0ab7e\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20240905-0004/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://cert-portal.siemens.com/productcert/html/ssa-265688.html\",\"source\":\"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e\"},{\"url\":\"https://cert-portal.siemens.com/productcert/html/ssa-398330.html\",\"source\":\"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e\"},{\"url\":\"https://cert-portal.siemens.com/productcert/html/ssa-613116.html\",\"source\":\"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://git.kernel.org/stable/c/84546cc1aeeb4df3e444b18a4293c9823f974be9\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/1796ca9c6f5bd50554214053af5f47d112818ee3\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/1d9cf07810c30ef7948879567d10fd1f01121d34\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/27b0284d8be182a81feb65581ab6a724dfd596e8\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/13ed7cdf079686ccd3618335205700c03f6fb446\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/6e48faad92be13166184d21506e4e54c79c13adc\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/517e32ea0a8c72202d0d8aa8df50a7cd3d6fdefc\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/f2db7230f73a80dbb179deab78f88a7947f0ab7e\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/06/msg00019.html\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240905-0004/\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-09-05T08:03:30.442Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-36904\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-06-12T19:20:22.181493Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-06-12T19:20:34.515Z\"}}], \"cna\": {\"title\": \"tcp: Use refcount_inc_not_zero() in tcp_twsk_unique().\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"ec94c2696f0bcd5ae92a553244e4ac30d2171a2d\", \"lessThan\": \"84546cc1aeeb4df3e444b18a4293c9823f974be9\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"ec94c2696f0bcd5ae92a553244e4ac30d2171a2d\", \"lessThan\": \"1796ca9c6f5bd50554214053af5f47d112818ee3\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"ec94c2696f0bcd5ae92a553244e4ac30d2171a2d\", \"lessThan\": \"1d9cf07810c30ef7948879567d10fd1f01121d34\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"ec94c2696f0bcd5ae92a553244e4ac30d2171a2d\", \"lessThan\": \"27b0284d8be182a81feb65581ab6a724dfd596e8\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"ec94c2696f0bcd5ae92a553244e4ac30d2171a2d\", \"lessThan\": \"13ed7cdf079686ccd3618335205700c03f6fb446\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"ec94c2696f0bcd5ae92a553244e4ac30d2171a2d\", \"lessThan\": \"6e48faad92be13166184d21506e4e54c79c13adc\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"ec94c2696f0bcd5ae92a553244e4ac30d2171a2d\", \"lessThan\": \"517e32ea0a8c72202d0d8aa8df50a7cd3d6fdefc\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"ec94c2696f0bcd5ae92a553244e4ac30d2171a2d\", \"lessThan\": \"f2db7230f73a80dbb179deab78f88a7947f0ab7e\", \"versionType\": \"git\"}], \"programFiles\": [\"net/ipv4/tcp_ipv4.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.16\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"4.16\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"4.19.314\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"4.19.*\"}, {\"status\": \"unaffected\", \"version\": \"5.4.276\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.4.*\"}, {\"status\": \"unaffected\", \"version\": \"5.10.217\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.10.*\"}, {\"status\": \"unaffected\", \"version\": \"5.15.159\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"6.1.91\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.1.*\"}, {\"status\": \"unaffected\", \"version\": \"6.6.31\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.6.*\"}, {\"status\": \"unaffected\", \"version\": \"6.8.10\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.8.*\"}, {\"status\": \"unaffected\", \"version\": \"6.9\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"net/ipv4/tcp_ipv4.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/84546cc1aeeb4df3e444b18a4293c9823f974be9\"}, {\"url\": \"https://git.kernel.org/stable/c/1796ca9c6f5bd50554214053af5f47d112818ee3\"}, {\"url\": \"https://git.kernel.org/stable/c/1d9cf07810c30ef7948879567d10fd1f01121d34\"}, {\"url\": \"https://git.kernel.org/stable/c/27b0284d8be182a81feb65581ab6a724dfd596e8\"}, {\"url\": \"https://git.kernel.org/stable/c/13ed7cdf079686ccd3618335205700c03f6fb446\"}, {\"url\": \"https://git.kernel.org/stable/c/6e48faad92be13166184d21506e4e54c79c13adc\"}, {\"url\": \"https://git.kernel.org/stable/c/517e32ea0a8c72202d0d8aa8df50a7cd3d6fdefc\"}, {\"url\": \"https://git.kernel.org/stable/c/f2db7230f73a80dbb179deab78f88a7947f0ab7e\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntcp: Use refcount_inc_not_zero() in tcp_twsk_unique().\\n\\nAnderson Nascimento reported a use-after-free splat in tcp_twsk_unique()\\nwith nice analysis.\\n\\nSince commit ec94c2696f0b (\\\"tcp/dccp: avoid one atomic operation for\\ntimewait hashdance\\\"), inet_twsk_hashdance() sets TIME-WAIT socket\u0027s\\nsk_refcnt after putting it into ehash and releasing the bucket lock.\\n\\nThus, there is a small race window where other threads could try to\\nreuse the port during connect() and call sock_hold() in tcp_twsk_unique()\\nfor the TIME-WAIT socket with zero refcnt.\\n\\nIf that happens, the refcnt taken by tcp_twsk_unique() is overwritten\\nand sock_put() will cause underflow, triggering a real use-after-free\\nsomewhere else.\\n\\nTo avoid the use-after-free, we need to use refcount_inc_not_zero() in\\ntcp_twsk_unique() and give up on reusing the port if it returns false.\\n\\n[0]:\\nrefcount_t: addition on 0; use-after-free.\\nWARNING: CPU: 0 PID: 1039313 at lib/refcount.c:25 refcount_warn_saturate+0xe5/0x110\\nCPU: 0 PID: 1039313 Comm: trigger Not tainted 6.8.6-200.fc39.x86_64 #1\\nHardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.21805430.B64.2305221830 05/22/2023\\nRIP: 0010:refcount_warn_saturate+0xe5/0x110\\nCode: 42 8e ff 0f 0b c3 cc cc cc cc 80 3d aa 13 ea 01 00 0f 85 5e ff ff ff 48 c7 c7 f8 8e b7 82 c6 05 96 13 ea 01 01 e8 7b 42 8e ff \u003c0f\u003e 0b c3 cc cc cc cc 48 c7 c7 50 8f b7 82 c6 05 7a 13 ea 01 01 e8\\nRSP: 0018:ffffc90006b43b60 EFLAGS: 00010282\\nRAX: 0000000000000000 RBX: ffff888009bb3ef0 RCX: 0000000000000027\\nRDX: ffff88807be218c8 RSI: 0000000000000001 RDI: ffff88807be218c0\\nRBP: 0000000000069d70 R08: 0000000000000000 R09: ffffc90006b439f0\\nR10: ffffc90006b439e8 R11: 0000000000000003 R12: ffff8880029ede84\\nR13: 0000000000004e20 R14: ffffffff84356dc0 R15: ffff888009bb3ef0\\nFS: 00007f62c10926c0(0000) GS:ffff88807be00000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 0000000020ccb000 CR3: 000000004628c005 CR4: 0000000000f70ef0\\nPKRU: 55555554\\nCall Trace:\\n \u003cTASK\u003e\\n ? refcount_warn_saturate+0xe5/0x110\\n ? __warn+0x81/0x130\\n ? refcount_warn_saturate+0xe5/0x110\\n ? report_bug+0x171/0x1a0\\n ? refcount_warn_saturate+0xe5/0x110\\n ? handle_bug+0x3c/0x80\\n ? exc_invalid_op+0x17/0x70\\n ? asm_exc_invalid_op+0x1a/0x20\\n ? refcount_warn_saturate+0xe5/0x110\\n tcp_twsk_unique+0x186/0x190\\n __inet_check_established+0x176/0x2d0\\n __inet_hash_connect+0x74/0x7d0\\n ? __pfx___inet_check_established+0x10/0x10\\n tcp_v4_connect+0x278/0x530\\n __inet_stream_connect+0x10f/0x3d0\\n inet_stream_connect+0x3a/0x60\\n __sys_connect+0xa8/0xd0\\n __x64_sys_connect+0x18/0x20\\n do_syscall_64+0x83/0x170\\n entry_SYSCALL_64_after_hwframe+0x78/0x80\\nRIP: 0033:0x7f62c11a885d\\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d a3 45 0c 00 f7 d8 64 89 01 48\\nRSP: 002b:00007f62c1091e58 EFLAGS: 00000296 ORIG_RAX: 000000000000002a\\nRAX: ffffffffffffffda RBX: 0000000020ccb004 RCX: 00007f62c11a885d\\nRDX: 0000000000000010 RSI: 0000000020ccb000 RDI: 0000000000000003\\nRBP: 00007f62c1091e90 R08: 0000000000000000 R09: 0000000000000000\\nR10: 0000000000000000 R11: 0000000000000296 R12: 00007f62c10926c0\\nR13: ffffffffffffff88 R14: 0000000000000000 R15: 00007ffe237885b0\\n \u003c/TASK\u003e\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.19.314\", \"versionStartIncluding\": \"4.16\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.4.276\", \"versionStartIncluding\": \"4.16\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.10.217\", \"versionStartIncluding\": \"4.16\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.15.159\", \"versionStartIncluding\": \"4.16\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.1.91\", \"versionStartIncluding\": \"4.16\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.6.31\", \"versionStartIncluding\": \"4.16\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.8.10\", \"versionStartIncluding\": \"4.16\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.9\", \"versionStartIncluding\": \"4.16\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-05-04T09:11:46.007Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-36904\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-04T09:11:46.007Z\", \"dateReserved\": \"2024-05-30T15:25:07.067Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-05-30T15:29:05.457Z\", \"assignerShortName\": \"Linux\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…