PRIOn Logo

CVE-2024-36978 Design/Logic Flaw

Routine
Remediate Within 6 Months

CVE Information

Original CVE data

Published:
Updated:

In the Linux kernel, the following vulnerability has been resolved: net: sched: sch_multiq: fix possible OOB write in multiq_tune() q->bands will be assigned to qopt->bands to execute subsequent code logic after kmalloc. So the old q->bands should not be used in kmalloc. Otherwise, an out-of-bounds write will occur.

CWE:
CVSS v2-
CVSS v3-
References
https://git.kernel.org/stable/c/affc18fdc694190ca7575b9a86632a73b9fe043d
https://git.kernel.org/stable/c/0f208fad86631e005754606c3ec80c0d44a11882
https://git.kernel.org/stable/c/54c2c171c11a798fe887b3ff72922aa9d1411c1e
https://git.kernel.org/stable/c/d6fb5110e8722bc00748f22caeb650fe4672f129
https://git.kernel.org/stable/c/d5d9d241786f49ae7cbc08e7fc95a115e9d80f3d
https://git.kernel.org/stable/c/52b1aa07cda6a199cd6754d3798c7759023bc70f
https://git.kernel.org/stable/c/598572c64287aee0b75bbba4e2881496878860f3
Affected Vendors

Basic Analysis

Common vulnerability metrics

Vulnerabilty type as detected by PRIOnengine

Design/Logic Flaw

CVSS Scores as calculated by PRIOnengine
CVSS v27.5
AV:N/AC:L/AU:N/C:P/I:P/A:P
CVSS v37.8
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MITRE CWE Top 25

-

Exploits

No exploit code is reported to exist.

Active Exploitation

Vulnerability is not in CISA's Known Exploited Vulnerabilities (KEV) catalog. See the KEV Catalog

Social Network Activity

-

Threat Actor Activity

No sightings of the vulnerability within threat reports.

Cybersecurity Frameworks

How the vulnerability maps against various cybersecurity frameworks

T1499.004 - Endpoint Denial of Service (Application or System Exploitation)
T1203 - Exploitation for Client Execution
T1059 - Command and Scripting Interpreter

Compliance Impact

How the submited vulnerability affects compliance

PCI DSS v3.2.1-6.5.2 - Buffer Overflows

Web Application Security Frameworks

Applicable if the issue likely affects a web application

-