CVE-2024-36905 Overview
A divide-by-zero vulnerability exists in the Linux kernel's TCP stack within the tcp_rcv_space_adjust() function. The flaw occurs during an improper state transition in TCP_SYN_RECV sockets when handling shutdown(SEND_SHUTDOWN) calls. This race condition allows a socket to transition from TCP_SYN_RECV directly to TCP_FIN_WAIT1 without properly initializing buffer space, resulting in a kernel crash due to division by zero.
Critical Impact
This vulnerability can be exploited to cause a kernel panic and system denial of service, particularly in systems handling cross-SYN TCP connections or when exposed to network fuzzing attacks.
Affected Products
- Linux kernel versions prior to the security patches
- Debian Linux (affected versions addressed in LTS announcements)
- NetApp products utilizing affected Linux kernel versions
- Red Hat Enterprise Linux (affected versions)
- Amazon Linux (affected versions)
Discovery Timeline
- May 30, 2024 - CVE-2024-36905 published to NVD
- January 14, 2025 - Last updated in NVD database
Technical Details for CVE-2024-36905
Vulnerability Analysis
The vulnerability resides in how the Linux kernel's TCP implementation handles the shutdown() system call when a socket is in the TCP_SYN_RECV state. This state is specifically used for cross-SYN connections, which are relatively rare in normal network operations but commonly triggered by network fuzzers like syzkaller.
When a socket undergoes the following state transitions without calling tcp_init_transfer() (and consequently tcp_init_buffer_space()), the receive buffer space values remain uninitialized:
- TCP_CLOSE → TCP_SYN_SENT (via connect())
- TCP_SYN_SENT → TCP_SYN_RECV
- TCP_SYN_RECV → TCP_FIN_WAIT1 (via shutdown())
The tcp_rcv_space_adjust() function later performs division operations using these uninitialized values, specifically when processing received messages through tcp_recvmsg_locked(). With the divisor being zero, this triggers a divide error exception in the kernel.
Root Cause
The root cause is an improper state machine transition in tcp_shutdown(). The function allowed direct transition from TCP_SYN_RECV to TCP_FIN_WAIT1, bypassing the TCP_ESTABLISHED state where critical buffer initialization occurs. The fix defers the shutdown operation until the socket properly transitions to TCP_ESTABLISHED, ensuring tcp_init_buffer_space() is called before any receive buffer space calculations.
Attack Vector
An attacker can exploit this vulnerability by:
- Creating a socket and initiating a cross-SYN connection scenario
- Allowing the socket to reach TCP_SYN_RECV state
- Immediately calling shutdown() with SEND_SHUTDOWN before the connection fully establishes
- Triggering receive operations that invoke tcp_rcv_space_adjust()
The crash occurs at tcp_rcv_space_adjust+0x2df/0x890 in net/ipv4/tcp_input.c at line 767, where the division operation fails due to a zero divisor. The vulnerability does not require special privileges and can be triggered locally through normal socket operations.
Detection Methods for CVE-2024-36905
Indicators of Compromise
- Kernel panic messages containing "divide error: 0000" with RIP pointing to tcp_rcv_space_adjust
- System crash dumps showing call traces through tcp_recvmsg_locked, tcp_recvmsg, and socket receive functions
- Unexpected system reboots correlated with heavy network activity or fuzzing operations
- Kernel log entries showing PREEMPT SMP KASAN NOPTI divide error exceptions
Detection Strategies
- Monitor kernel logs for divide error exceptions in the TCP stack, specifically in tcp_rcv_space_adjust()
- Deploy kernel crash dump analysis to identify exploitation attempts targeting this vulnerability
- Implement network monitoring for unusual cross-SYN connection patterns that may indicate exploitation attempts
- Use kernel runtime verification tools to detect improper TCP state transitions
Monitoring Recommendations
- Enable kernel crash dump collection with kdump or similar tools to capture evidence of exploitation
- Configure system monitoring to alert on unexpected kernel panics or system reboots
- Monitor for patterns of socket creation followed by rapid shutdown calls during SYN_RECV state
- Review syskaller or fuzzer logs if running kernel testing infrastructure
How to Mitigate CVE-2024-36905
Immediate Actions Required
- Apply the official Linux kernel patches immediately to all affected systems
- Prioritize patching systems that handle high volumes of network traffic or are exposed to untrusted network input
- Consider restricting local user access on critical systems until patches can be applied
- Monitor systems for signs of exploitation while patch deployment is in progress
Patch Information
The vulnerability has been addressed through multiple kernel patches that modify tcp_shutdown() to prevent the TCP_SYN_RECV to TCP_FIN_WAIT1 transition. The fix ensures that when tcp_rcv_state_process() transitions a socket from TCP_SYN_RECV to TCP_ESTABLISHED, it checks sk->sk_shutdown to properly enter TCP_FIN_WAIT1 and send a FIN packet from a valid socket state. Additionally, tcp_send_fin() has been updated to use GFP_ATOMIC allocations since it can now be called from BH context.
Patches are available from multiple sources:
- Linux Kernel Git Stable Commit 2552c9d9
- Linux Kernel Git Stable Commit 34e41a03
- Debian LTS Security Announcement
- NetApp Security Advisory
- Red Hat CVE Advisory
- AWS Security Advisory
Workarounds
- Limit local user access to systems where kernel upgrades cannot be immediately performed
- Implement network segmentation to reduce exposure of vulnerable systems to untrusted network traffic
- Monitor for and block suspicious network patterns that may indicate fuzzing or exploitation attempts
- Consider disabling non-essential network services on critical systems until patching is complete
# Check current kernel version for vulnerability assessment
uname -r
# Verify if patches have been applied (look for relevant commits)
grep -r "tcp_shutdown" /proc/kallsyms
# Update kernel on Debian/Ubuntu systems
apt update && apt upgrade linux-image-$(uname -r)
# Update kernel on RHEL/CentOS systems
yum update kernel
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
