Date: 2024-09-03 Updated:
HIGH risk use-after-free vulnerability in the Linux kernel’s network route management. This flaw allows an attacker to alter the behaviour of certain network connections. [R 1]
EGI SVG ID : EGI-SVG-2024-19
CVE ID : CVE-2024-36971
CVSS Score : 7.8 [R 1]
Sites are recommended to update relevant components as soon as possible using information in the references below.
On Android this vulnerability is said to be exploited in the wild.
Sites should be aware that if a public exploit is released which allows this vulnerability to be exploited in the EGI infrastructure, this vulnerability is likely to be elevated to ‘Critical’ and sites will then be required to patch or have mitigation in place within 7 days or risk suspension.
There is no practical mitigation [R 1]
TLP:CLEAR information - Unlimited distribution
https://advisories.egi.eu/Advisory-EGI-SVG-2024-19
https://advisories.egi.eu/Advisory-SVG-CVE-2024-36971
Minor updates may be made without re-distribution to the sites.
This advisory is subject to the Creative Commons licence
https://creativecommons.org/licenses/by/4.0/ and
the EGI (https://www.egi.eu/) Software Vulnerability Group
must be credited.
Comments or questions should be sent to svg-rat at mailman.egi.eu
Vulnerabilities relevant for EGI can be reported at report-vulnerability at egi.eu
(see [R 99] for further details, and other information on SVG)
[R 4] https://security-tracker.debian.org/tracker/CVE-2024-36971
[R 6] https://errata.build.resf.org/ (RockyLinux)
[R 7] https://errata.almalinux.org/ (AlmaLinux)
[R 99] https://confluence.egi.eu/display/EGIBG/SVG+Advisories
SVG was alerted to this vulnerability by Mischa Salle