CVE-2024-36006: mlxsw: spectrum_acl_tcam: Fix incorrect list API usage

Published May 20, 2024
·
Updated

In the Linux kernel, the following vulnerability has been resolved:

mlxsw: spectrumacltcam: Fix incorrect list API usage

Both the function that migrates all the chunks within a region and the function that migrates all the entries within a chunk call listfirstentry() on the respective lists without checking that the lists are not empty. This is incorrect usage of the API, which leads to the following warning [1].

Fix by returning if the lists are empty as there is nothing to migrate in this case.

[1] WARNING: CPU: 0 PID: 6437 at drivers/net/ethernet/mellanox/mlxsw/spectrumacltcam.c:1266 mlxswspacltcamvchunkmigrateall+0x1f1/0> Modules linked in: CPU: 0 PID: 6437 Comm: kworker/0:37 Not tainted 6.9.0-rc3-custom-00883-g94a65f079ef6 #39 Hardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019 Workqueue: mlxswcore mlxswspacltcamvregionrehashwork RIP: 0010:mlxswspacltcamvchunkmigrateall+0x1f1/0x2c0 [...] Call Trace: <TASK> mlxswspacltcamvregionrehashwork+0x6c/0x4a0 processonework+0x151/0x370 workerthread+0x2cb/0x3e0 kthread+0xd0/0x100 retfromfork+0x34/0x50 retfromforkasm+0x1a/0x30 </TASK>

Other sources

In the Linux kernel, the following vulnerability has been resolved:

mlxsw: spectrumacltcam: Fix incorrect list API usage

The Linux kernel CVE team has assigned CVE-2024-36006 to this issue.

Upstream advisory: https://lore.kernel.org/linux-cve-announce/2024052025-CVE-2024-36006-c032@gregkh/T

Red Hat

Linux Kernel is vulnerable to a denial of service, caused by an error related to spectrumacltcam. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.

IBM

Affected Software

24 affected componentsFixes available
IBM Security Verify Governance<=ISVG 10.0.2
IBM Security Verify Governance, Identity Manager Software Stack<=ISVG 10.0.2
IBM Security Verify Governance, Identity Manager Virtual Appliance<=ISVG 10.0.2
IBM Security Verify Governance Identity Manager Container<=ISVG 10.0.2
debian/linux
5.10.223-15.10.234-16.1.129-16.1.135-16.12.25-16.12.27-1
redhat/kernel<5.4.275
5.4.275
redhat/kernel<5.10.216
5.10.216
redhat/kernel<5.15.158
5.15.158
redhat/kernel<6.1.90
6.1.90
redhat/kernel<6.6.30
6.6.30
redhat/kernel<6.8.9
6.8.9
redhat/kernel<6.9
6.9
Linux Linux kernel>=5.1<5.4.275
Linux Linux kernel>=5.5<5.10.216
Linux Linux kernel>=5.11<5.15.158
Linux Linux kernel>=5.16<6.1.90
Linux Linux kernel>=6.2<6.6.30
Linux Linux kernel>=6.7<6.8.9
Linux Linux kernel=6.9-rc1
Linux Linux kernel=6.9-rc2
Linux Linux kernel=6.9-rc3
Linux Linux kernel=6.9-rc4
Linux Linux kernel=6.9-rc5
Debian Debian Linux=10.0

Remediation

Patch Available

https://git.kernel.org/stable/c/09846c2309b150b8ce4e0ce96f058197598fc530

Patch Available

https://git.kernel.org/stable/c/0b2c13b670b168e324e1cf109e67056a20fd610a

Patch Available

https://git.kernel.org/stable/c/4526a56e02da3725db979358964df9cd9c567154

Patch Available

https://git.kernel.org/stable/c/64435b64e43d8ee60faa46c0cd04e323e8b2a7b0

Patch Available

https://git.kernel.org/stable/c/ab4ecfb627338e440ae11def004c524a00d93e40

Patch Available

https://git.kernel.org/stable/c/af8b593c3dd9df82cb199be65863af004b09fd97

Patch Available

https://git.kernel.org/stable/c/b377add0f0117409c418ddd6504bd682ebe0bf79

Event History

May 20, 2024
CVE Published
via MITRE·09:48 AM
Data Sourced
via MITRE·09:48 AM
Description
Data Sourced
via NVD·10:15 AM
Description
Data Sourced
via NVD·10:15 AM
RemedySeverityAffected Software
Data Sourced
via Red Hat·05:59 PM
DescriptionSeverityAffected Software
Jul 12, 2024
Data Sourced
via Launchpad·02:47 PM
Description
Apr 27, 2025
Data Sourced
via Ubuntu·12:25 AM
RemedyDescriptionSeverityAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2024-36006?

The severity of CVE-2024-36006 is classified as medium, reflecting a moderate risk in the Linux kernel.

2

How do I fix CVE-2024-36006?

To fix CVE-2024-36006, update your Linux kernel to one of the specified remedied versions, such as 5.4.275 or 5.10.216 depending on your distribution.

3

Which systems are affected by CVE-2024-36006?

CVE-2024-36006 affects Linux kernel versions prior to their respective fixed releases in both Red Hat and Debian distributions.

4

Does CVE-2024-36006 affect both server and desktop environments?

Yes, CVE-2024-36006 affects both server and desktop environments running vulnerable versions of the Linux kernel.

5

Are there known exploits for CVE-2024-36006?

As of now, there are no publicly known exploits specifically targeting CVE-2024-36006.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203