CVE-2024-36016 Overview
CVE-2024-36016 is an out-of-bounds write vulnerability in the Linux kernel's n_gsm TTY line discipline implementation, specifically in the gsm0_receive() function. The vulnerability arises from improper handling of frame data during mode switching between basic and advanced option modes in the GSM 0710 multiplexer protocol. An attacker can exploit the lack of proper state and length validation during reconfiguration to write past the allocated buffer boundaries.
Critical Impact
Local attackers can potentially achieve high confidentiality and availability impact through memory corruption, potentially leading to information disclosure or system crashes.
Affected Products
- Linux Kernel (multiple versions affected)
- Debian Linux distributions using vulnerable kernel versions
- Systems utilizing GSM 0710 multiplexer functionality
Discovery Timeline
- May 29, 2024 - CVE-2024-36016 published to NVD
- November 4, 2025 - Last updated in NVD database
Technical Details for CVE-2024-36016
Vulnerability Analysis
This vulnerability exists in the n_gsm TTY line discipline driver, which implements the GSM 0710 multiplexer protocol for serial communication multiplexing. The out-of-bounds write condition occurs due to a specific sequence of events involving mode switching between basic and advanced option modes.
The attack sequence works as follows: when side A configures n_gsm in basic option mode, side B can send a basic option mode frame header with a data length of 1. If side A then switches to advanced option mode while side B sends 2 data bytes, the received data exceeds gsm->len because this variable is not used in advanced option mode. When side A switches back to basic option mode and side B continues sending data, gsm0_receive() can write past the gsm->buf buffer boundary. This occurs because neither gsm->state nor gsm->len are properly reset after reconfiguration.
Root Cause
The root cause is a failure to properly reset state variables (gsm->state and gsm->len) during mode reconfiguration in the n_gsm driver. Additionally, the original code used an equality comparison (==) between gsm->count and gsm->len rather than a less-than comparison (<), allowing the buffer write to proceed even when the count exceeded the expected length. The absence of upper limit checks against MAX_MRU in both gsm0_receive() and gsm1_receive() functions further contributed to the vulnerability by not providing defense against potential memory corruption of gsm->len and gsm->mru.
Attack Vector
The vulnerability requires local access to the system to manipulate the n_gsm TTY line discipline. An attacker needs the ability to control both ends of a GSM multiplexer communication or influence the timing of mode switches and data transmission to trigger the out-of-bounds write condition.
The fix changes the gsm->count to gsm->len comparison from equal to less-than and adds upper limit checks against the constant MAX_MRU in both gsm0_receive() and gsm1_receive() to harden against memory corruption scenarios. For detailed patch information, see Linux Kernel Commit 47388e8.
Detection Methods for CVE-2024-36016
Indicators of Compromise
- Kernel crash logs or OOPS messages related to n_gsm or TTY subsystem
- Unexpected memory access violations in kernel logs referencing gsm0_receive or gsm1_receive functions
- System instability when using GSM 0710 multiplexer functionality
Detection Strategies
- Monitor kernel logs for out-of-bounds access warnings related to the n_gsm driver
- Implement kernel address sanitizer (KASAN) in development environments to detect buffer overflows
- Review system logs for anomalous TTY line discipline switching patterns
Monitoring Recommendations
- Enable kernel auditing to track TTY device access and line discipline changes
- Deploy endpoint detection solutions that monitor for kernel memory corruption indicators
- Implement SentinelOne Singularity platform for real-time kernel-level threat detection and behavioral analysis
How to Mitigate CVE-2024-36016
Immediate Actions Required
- Update Linux kernel to a patched version as soon as available from your distribution
- If GSM 0710 multiplexer functionality is not required, consider disabling or blacklisting the n_gsm module
- Monitor systems for signs of exploitation attempts targeting the n_gsm subsystem
Patch Information
The Linux kernel team has released patches across multiple stable branches to address this vulnerability. The fix changes the comparison logic from equality to less-than and adds MAX_MRU upper limit checks in both gsm0_receive() and gsm1_receive() functions. Patches are available from the following commits:
- Linux Kernel Commit 47388e8
- Linux Kernel Commit 774d83b
- Linux Kernel Commit 9513d41
- Linux Kernel Commit b229bc6
Debian users should refer to the Debian LTS Announcement for distribution-specific patch information.
Workarounds
- Blacklist the n_gsm kernel module if not needed: add blacklist n_gsm to /etc/modprobe.d/blacklist.conf
- Restrict access to TTY devices using appropriate file permissions
- Implement network segmentation to limit exposure of systems using GSM multiplexer functionality
# Disable n_gsm module if not required
echo "blacklist n_gsm" >> /etc/modprobe.d/blacklist-n_gsm.conf
echo "install n_gsm /bin/false" >> /etc/modprobe.d/blacklist-n_gsm.conf
update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
