CVE-2024-36886: Linux Kernel Use-After-Free Vulnerability

CVE-2024-36886 Overview

CVE-2024-36886 is a use-after-free (UAF) vulnerability [CWE-416] in the Linux kernel's Transparent Inter-Process Communication (TIPC) protocol implementation. The flaw resides in the error path of the tipc_buf_append() function in net/tipc/msg.c. When message reassembly fails, the kernel frees a socket buffer (skb) that is still referenced by a fragment list, leading to a slab-use-after-free condition detected by KASAN in kfree_skb_list_reason(). The vulnerability was reported by Sam Page (sam4k) working with Trend Micro Zero Day Initiative. Successful exploitation can result in kernel memory corruption, denial of service, or local privilege escalation on systems with the TIPC module loaded.

Critical Impact

A local attacker capable of sending crafted TIPC fragments over UDP can trigger kernel memory corruption, potentially leading to privilege escalation or full system compromise.

Affected Products

• Linux Kernel (multiple stable branches prior to the patched commits, including 6.9-rc1 through 6.9-rc6)
• Debian Linux 10.0 (LTS)
• NetApp products bundling affected Linux kernels (per NetApp advisory ntap-20241018-0002)

Discovery Timeline

• Vulnerability reported by Sam Page (sam4k) working with Trend Micro Zero Day Initiative
• 2024-05-30 - CVE-2024-36886 published to NVD
• 2026-01-22 - Last updated in NVD database

Technical Details for CVE-2024-36886

Vulnerability Analysis

The vulnerability is a use-after-free in the TIPC kernel module, classified under [CWE-416]. TIPC is a cluster-oriented messaging protocol used for inter-node communication, and it supports message fragmentation and reassembly. The tipc_buf_append() function reassembles incoming fragments into a complete message. When the function encounters an error during reassembly, it incorrectly frees an skb that remains linked into the fragment chain. A subsequent traversal of that chain in kfree_skb_list_reason() dereferences freed memory, as confirmed by the KASAN report against kernel 6.8.2.

The defect is reachable from the network input path: tipc_udp_recv() → tipc_rcv() → tipc_link_rcv() → tipc_link_input() → tipc_buf_append(). Because TIPC can run over UDP, the trigger does not require raw socket privileges on the target — any local user able to send UDP datagrams to a TIPC-bound port can drive the code path.

Root Cause

The root cause is improper lifetime management of socket buffers on the error path. The reassembly logic releases an skb while it is still referenced by skb->next or a fragment list pointer. When the kernel later iterates the list to free remaining buffers, it reads memory that has been returned to the SLAB allocator, producing the slab-use-after-free reported by KASAN.

Attack Vector

Exploitation requires local access and the ability to send TIPC-encapsulated UDP traffic to the host. The TIPC kernel module must be loaded (tipc.ko), which is the default on many distributions when TIPC sockets are first used. A local attacker crafts malformed TIPC fragments to force the reassembly error path, triggering the UAF. Skilled attackers can shape the freed slab object to overlap with a controllable structure, converting the UAF into arbitrary kernel write primitives and ultimately privilege escalation. The CVSS vector indicates local attack vector with low privileges and high impact to confidentiality, integrity, and availability.

No public proof-of-concept exploit code is available in the referenced advisories. Technical details of the fix are visible in the upstream kernel commits, including 21ea04aad8a0, 367766ff9e40, 93bc2d6d16f2, and ffd4917c1edb.

Detection Methods for CVE-2024-36886

Indicators of Compromise

• Kernel oops or KASAN reports referencing kfree_skb_list_reason, skb_release_data, or tipc_buf_append in dmesg and /var/log/kern.log.
• Unexpected loading of the tipc kernel module on systems that do not use TIPC, observable via lsmod | grep tipc.
• Unusual UDP traffic destined for TIPC bearer ports from local processes that do not legitimately use cluster messaging.
• Local user processes opening AF_TIPC sockets, visible in audit logs for the socket() syscall with domain=30.

Detection Strategies

• Enable kernel auditd rules for socket and bind syscalls with a0=30 (AF_TIPC) to flag unexpected TIPC socket creation by unprivileged users.
• Monitor kernel ring buffer for BUG: KASAN: slab-use-after-free strings and tipc_ symbols, then forward to centralized logging for correlation.
• Use eBPF or kprobe-based tracing on tipc_buf_append to alert on abnormally high error-path invocations from a single PID.

Monitoring Recommendations

• Centralize kernel logs and alert on TIPC-related stack traces or oops events on hosts that do not run TIPC workloads.
• Track modprobe and kmod activity to detect on-demand loading of the tipc module by non-root processes via socket autoload.
• Inventory installed kernel versions across the fleet and correlate against the patched commits listed in the kernel.org advisory.

How to Mitigate CVE-2024-36886

Immediate Actions Required

• Patch affected Linux kernels to a fixed stable release that contains the upstream commits resolving the TIPC reassembly UAF.
• Blacklist the tipc kernel module on hosts that do not require cluster messaging by adding install tipc /bin/true to /etc/modprobe.d/.
• Restrict creation of AF_TIPC sockets through seccomp profiles or SELinux/AppArmor policies for untrusted local users.
• Apply Debian LTS updates referenced in announcements debian-lts-announce/2024/06/msg00019.html and msg00020.html on Debian 10 systems.

Patch Information

The fix is committed to the mainline and stable trees. Relevant commits include Kernel Commit 21ea04a, Kernel Commit 367766f, Kernel Commit 93bc2d6, Kernel Commit a0fbb26, Kernel Commit e19ec8a, Kernel Commit ffd4917, Kernel Commit 080cbb8, and Kernel Commit 6611655. NetApp users should consult NetApp Advisory ntap-20241018-0002 for bundled product fixes.

Workarounds

• Blacklist or unload the tipc module where it is not required: rmmod tipc and create a modprobe blacklist entry.
• Disable autoload of network protocol modules by setting install tipc /bin/false to prevent unprivileged users from triggering module load via socket(AF_TIPC, ...).
• Apply seccomp filters to container workloads and untrusted services to deny socket() calls with AF_TIPC (domain 30).
• Where TIPC over UDP is required, restrict the UDP bearer ports with host firewall rules so only trusted nodes can reach them.

# Configuration example: prevent the vulnerable TIPC module from loading
echo "install tipc /bin/true" | sudo tee /etc/modprobe.d/blacklist-tipc.conf
sudo rmmod tipc 2>/dev/null || true

# Verify the module is not loaded
lsmod | grep tipc || echo "tipc module not loaded"