CVE-2024-36964Resource Injection in Linux

CWE-99Resource Injection55 documents7 sources
Severity
5.5MEDIUMNVD
OSV7.8OSV6.5
EPSS
0.0%
top 95.92%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
LinuxLinux KernelDebian Linux+1 more
Timeline
PublishedJun 3
Latest updateMar 13

Description

In the Linux kernel, the following vulnerability has been resolved: fs/9p: only translate RWX permissions for plain 9P2000 Garbage in plain 9P2000's perm bits is allowed through, which causes it to be able to set (among others) the suid bit. This was presumably not the intent since the unix extended bits are handled explicitly and conditionally on .u.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages5 packages

NVDlinux/linux_kernel4.205.4.276+7
Debianlinux/linux_kernel< 5.10.218-1+3
Ubuntulinux/linux_kernel< 5.4.0-192.212+5
CVEListV5linux/linux45089142b1497dab2327d60f6c71c40766fc3ea4e90bc596a74bb905e0a45bf346038c3f9d1e868d+9
debiandebian/linux< linux 6.1.94-1 (bookworm)

Also affects: Debian Linux 10.0

Patches

Patch: git.kernel.orgPatch: git.kernel.orgPatch: git.kernel.org

🔴Vulnerability Details

27
OSV
linux-lts-xenial vulnerabilities2025-03-13
OSV
linux-azure, linux-azure-4.15 vulnerabilities2025-03-13
OSV
linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-kvm, linux-oracle vulnerabilities2025-03-11
OSV
linux-kvm vulnerabilities2025-03-11
OSV
linux, linux-hwe vulnerabilities2025-03-11

📋Vendor Advisories

26
Ubuntu
Linux kernel vulnerabilities2025-03-13
Ubuntu
Linux kernel vulnerabilities2025-03-13
Ubuntu
Linux kernel vulnerabilities2025-03-11
Ubuntu
Linux kernel vulnerabilities2025-03-11
Ubuntu
Linux kernel vulnerabilities2025-03-11

💬Community

1
Bugzilla
CVE-2024-36964 kernel: fs/9p: only translate RWX permissions for plain 9P20002024-06-04