CVE-2024-36883: net: fix out-of-bounds access in ops_init

Published May 30, 2024
·
Updated

In the Linux kernel, the following vulnerability has been resolved:

net: fix out-of-bounds access in opsinit

netallocgeneric is called by netalloc, which is called without any locking. It reads maxgenptrs, which is changed under pernetopsrwsem. It is read twice, first to allocate an array, then to set s.len, which is later used to limit the bounds of the array access.

It is possible that the array is allocated and another thread is registering a new pernet ops, increments maxgenptrs, which is then used to set s.len with a larger than allocated length for the variable array.

Fix it by reading maxgenptrs only once in netallocgeneric. If maxgenptrs is later incremented, it will be caught in netassigngeneric.

Other sources

In the Linux kernel, the following vulnerability has been resolved:

net: fix out-of-bounds access in opsinit

The Linux kernel CVE team has assigned CVE-2024-36883 to this issue.

Upstream advisory: https://lore.kernel.org/linux-cve-announce/2024053032-CVE-2024-36883-b892@gregkh/T

Red Hat

Linux Kernel is vulnerable to a denial of service, caused by an out-of-bounds access in opsinit. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.

IBM

Affected Software

37 affected componentsFixes available
IBM Security Verify Governance<=ISVG 10.0.2
IBM Security Verify Governance, Identity Manager Software Stack<=ISVG 10.0.2
IBM Security Verify Governance, Identity Manager Virtual Appliance<=ISVG 10.0.2
IBM Security Verify Governance Identity Manager Container<=ISVG 10.0.2
debian/linux
5.10.223-15.10.234-16.1.129-16.1.135-16.12.25-16.12.27-1
redhat/kernel<4.19.314
4.19.314
redhat/kernel<5.4.276
5.4.276
redhat/kernel<5.10.217
5.10.217
redhat/kernel<5.15.159
5.15.159
redhat/kernel<6.1.91
6.1.91
redhat/kernel<6.6.31
6.6.31
redhat/kernel<6.8.10
6.8.10
redhat/kernel<6.9
6.9
Linux Linux kernel>=3.0.19<3.1
Linux Linux kernel>=3.2.3<3.3
Linux Linux kernel>=3.3.1<4.19.314
Linux Linux kernel>=4.20<5.4.276
Linux Linux kernel>=5.5<5.10.217
Linux Linux kernel>=5.11<5.15.159
Linux Linux kernel>=5.16<6.1.91
Linux Linux kernel>=6.2<6.6.31
Linux Linux kernel>=6.7<6.8.10
Linux Linux kernel=3.3
Linux Linux kernel=3.3-rc2
Linux Linux kernel=3.3-rc3
Linux Linux kernel=3.3-rc4
Linux Linux kernel=3.3-rc5
Linux Linux kernel=3.3-rc6
Linux Linux kernel=3.3-rc7
Linux Linux kernel=6.9-rc1
Linux Linux kernel=6.9-rc2
Linux Linux kernel=6.9-rc3
Linux Linux kernel=6.9-rc4
Linux Linux kernel=6.9-rc5
Linux Linux kernel=6.9-rc6
Linux Linux kernel=6.9-rc7
Debian Debian Linux=10.0

Remediation

Patch Available

https://git.kernel.org/stable/c/0c3248bc708a7797be573214065cf908ff1f54c7

Patch Available

https://git.kernel.org/stable/c/2d60ff5874aefd006717ca5e22ac1e25eac29c42

Patch Available

https://git.kernel.org/stable/c/3cdc34d76c4f777579e28ad373979d36c030cfd3

Patch Available

https://git.kernel.org/stable/c/7b0e64583eab8c1d896b47e5dd0bf2e7d86ec41f

Patch Available

https://git.kernel.org/stable/c/9518b79bfd2fbf99fa9b7e8e36bcb1825e7ba030

Patch Available

https://git.kernel.org/stable/c/a26ff37e624d12e28077e5b24d2b264f62764ad6

Patch Available

https://git.kernel.org/stable/c/b6dbfd5bcc267a95a0bf1bf96af46243f96ec6cd

Patch Available

https://git.kernel.org/stable/c/f4f94587e1bf87cb40ec33955a9d90148dd026ab

Event History

May 30, 2024
CVE Published
via MITRE·03:28 PM
Data Sourced
via MITRE·03:28 PM
Description
Data Sourced
via NVD·04:15 PM
Description
Data Sourced
via NVD·04:15 PM
RemedySeverityWeaknessAffected Software
Jun 2, 2024
Data Sourced
via Red Hat·03:06 PM
DescriptionSeverityAffected Software
Aug 8, 2024
Data Sourced
via Launchpad·11:24 PM
Description
Apr 27, 2025
Data Sourced
via Ubuntu·12:27 AM
RemedyDescriptionSeverityAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2024-36883?

CVE-2024-36883 has been rated as a high severity vulnerability affecting the Linux kernel.

2

Which Linux kernel versions are affected by CVE-2024-36883?

CVE-2024-36883 affects Linux kernel versions earlier than 4.19.314, 5.4.276, 5.10.217, 5.15.159, 6.1.91, 6.6.31, 6.8.10, and 6.9.

3

How do I fix CVE-2024-36883?

To fix CVE-2024-36883, upgrade your kernel to the patched versions specified in the vulnerability report.

4

What problem does CVE-2024-36883 cause in the Linux kernel?

CVE-2024-36883 can lead to an out-of-bounds access issue in the network subsystem of the Linux kernel.

5

Is CVE-2024-36883 related to a particular component in the Linux kernel?

Yes, CVE-2024-36883 is specifically related to the network operations initialization and allocation in the Linux kernel.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203