CVE-2024-36621: Race Condition
Published Nov 29, 2024
·Updated
Last updated 1 May 2025
Other sources
moby v25.0.5 is affected by a Race Condition in builder/builder-next/adapters/snapshot/layer.go. The vulnerability could be used to trigger concurrent builds that call the EnsureLayer function resulting in resource leaks/exhaustion.
— NVD
Affected Software
8 affected componentsFixes available
go/github.com/moby/moby<26.0.0
26.0.0
debian/docker.io<=20.10.5+dfsg1-1+deb11u2, <=20.10.5+dfsg1-1+deb11u4, <=20.10.24+dfsg1-1+deb12u1
26.1.5+dfsg1-9
Mobyproject Moby=25.0.5
Microsoft cbl2 moby-engine 24.0.9-16
Microsoft cbl2 moby-engine 24.0.9-16
Microsoft azl3 moby-engine 25.0.3-8
Microsoft cbl2 moby-engine 24.0.9-11
Microsoft azl3 moby-engine 25.0.3-13
Remediation
Event History
Nov 29, 2024
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
Description
Data Sourced
via NVD·06:15 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·06:15 PM
RemedyAffected Software
Advisory Published
via GitHub·06:34 PM
Dec 13, 2024
Data Sourced
via Microsoft·08:00 AM
DescriptionSeverityWeakness
Data Sourced
via Microsoft·08:00 AM
Affected Software
Updated
via Microsoft·08:00 AM
DescriptionSeverity
May 5, 2025
Data Sourced
via Ubuntu·05:42 PM
RemedyDescriptionSeverityAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2024-36621?
CVE-2024-36621 is classified as a medium severity vulnerability due to its potential for resource leaks.
2
How do I fix CVE-2024-36621?
To fix CVE-2024-36621, upgrade to version 26.0.0 or later of the Moby software.
3
What type of vulnerability is CVE-2024-36621?
CVE-2024-36621 is a race condition vulnerability affecting concurrent build processes.
4
Which versions of Moby are affected by CVE-2024-36621?
Versions of Moby prior to 26.0.0 are affected by CVE-2024-36621.
5
What impacts can CVE-2024-36621 have on my system?
CVE-2024-36621 can lead to resource exhaustion which may degrade performance or cause service interruptions.