CVE-2024-36978 Overview
CVE-2024-36978 is an out-of-bounds write vulnerability in the Linux kernel's sch_multiq network scheduler. The flaw resides in the multiq_tune() function within the network queueing discipline subsystem. A local attacker with low privileges can trigger memory corruption by exploiting a logic error in how q->bands is reassigned during kmalloc operations. The vulnerability is tracked under CWE-787 and affects multiple Linux kernel versions including 6.10-rc1 and 6.10-rc2. Successful exploitation can result in kernel memory corruption, leading to privilege escalation, denial of service, or arbitrary code execution within kernel context.
Critical Impact
Local attackers can corrupt kernel memory through the multiq queueing discipline, potentially achieving kernel-level code execution and full system compromise.
Affected Products
- Linux Kernel (multiple versions prior to fix)
- Linux Kernel 6.10-rc1
- Linux Kernel 6.10-rc2
Discovery Timeline
- 2024-06-19 - CVE-2024-36978 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2024-36978
Vulnerability Analysis
The vulnerability exists in the multiq_tune() function in net/sched/sch_multiq.c, which configures the multi-queue queueing discipline (qdisc) in the Linux kernel traffic control subsystem. The sch_multiq qdisc distributes packets across multiple bands corresponding to hardware transmit queues.
During reconfiguration, multiq_tune() updates the number of bands managed by the qdisc. The function assigns q->bands to the new value from qopt->bands from user-supplied configuration. However, the original code used the updated q->bands value in a subsequent kmalloc allocation and indexing operation, when it should have used the previous value or aligned the allocation size with the access pattern.
This discrepancy creates an out-of-bounds write condition. An attacker with CAP_NET_ADMIN capability in a user namespace can issue crafted netlink messages to manipulate the multiq qdisc and write beyond the allocated buffer.
Root Cause
The root cause is improper sequencing of state updates and memory allocation within multiq_tune(). The function assigned the new band count to the queue structure before completing the allocation logic that depended on the old value. Subsequent code paths used the stale assumption, causing writes past the bounds of the allocated q->queues array.
Attack Vector
Exploitation requires local access with privileges to configure network queueing disciplines. Unprivileged users in containers or sandboxes that grant CAP_NET_ADMIN within a user namespace may also reach the vulnerable code path. The attacker invokes the netlink interface to add or modify a multiq qdisc with a crafted band configuration, triggering the out-of-bounds write. Technical details and patch commits are available in the Linux Kernel Git repository.
No public proof-of-concept exploit code has been released for this issue.
Detection Methods for CVE-2024-36978
Indicators of Compromise
- Unexpected kernel oops or panic messages referencing sch_multiq, multiq_tune, or KASAN reports of slab-out-of-bounds writes in the network scheduler.
- Anomalous tc qdisc add or tc qdisc change invocations specifying the multiq discipline from non-administrative user contexts.
- Process activity from unprivileged users or containers spawning netlink sockets targeting RTM_NEWQDISC with multiq parameters.
Detection Strategies
- Audit execve events for tc commands referencing multiq and correlate with the invoking user, container, and namespace context.
- Enable Linux Audit rules on the setsockopt and netlink message paths used by traffic control to flag unexpected qdisc configuration changes.
- Monitor kernel logs (dmesg, /var/log/kern.log) for KASAN, slab corruption, or general protection fault entries related to sch_multiq.
Monitoring Recommendations
- Inventory hosts running affected kernel versions and prioritize patching on multi-tenant systems and container hosts where untrusted workloads execute.
- Forward kernel and audit logs to a centralized log analytics platform to identify crash patterns indicative of exploitation attempts.
- Track usage of CAP_NET_ADMIN grants in user namespaces and container runtimes such as Docker, containerd, and Kubernetes.
How to Mitigate CVE-2024-36978
Immediate Actions Required
- Apply the upstream kernel patches referenced in the stable kernel commits, including d6fb5110e8722bc00748f22caeb650fe4672f129 and related backports.
- Update to a distribution kernel package that incorporates the fix, including the Debian LTS update documented in the Debian LTS announcement.
- Review and apply Siemens product advisories for affected industrial systems, including SSA-265688, SSA-355557, and SSA-613116.
Patch Information
The fix reorders the logic in multiq_tune() so that the previous q->bands value is used for allocation sizing before the new value is assigned. Patched commits are tracked in the upstream Linux kernel stable tree, with the primary fix available at the Kernel Git Commit. Distribution maintainers including Debian and Siemens have released corresponding updates for supported kernel branches.
Workarounds
- Restrict CAP_NET_ADMIN capability assignment in user namespaces and container security profiles to prevent unprivileged access to qdisc configuration.
- Disable or blacklist the sch_multiq kernel module on systems that do not require multi-queue traffic shaping by adding blacklist sch_multiq to /etc/modprobe.d/.
- Apply seccomp or AppArmor profiles to container workloads to block netlink configuration syscalls targeting traffic control.
# Configuration example: blacklist the vulnerable module
echo 'blacklist sch_multiq' | sudo tee /etc/modprobe.d/disable-multiq.conf
sudo rmmod sch_multiq 2>/dev/null
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
