{
    "dataType": "CVE_RECORD",
    "dataVersion": "5.1",
    "cveMetadata": {
        "cveId": "CVE-2024-36979",
        "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "state": "PUBLISHED",
        "assignerShortName": "Linux",
        "dateReserved": "2024-05-30T15:25:07.082Z",
        "datePublished": "2024-06-19T13:35:12.708Z",
        "dateUpdated": "2024-08-02T03:43:50.547Z"
    },
    "containers": {
        "cna": {
            "providerMetadata": {
                "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
                "shortName": "Linux",
                "dateUpdated": "2024-07-15T06:47:23.521Z"
            },
            "descriptions": [
                {
                    "lang": "en",
                    "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: mst: fix vlan use-after-free\n\nsyzbot reported a suspicious rcu usage[1] in bridge's mst code. While\nfixing it I noticed that nothing prevents a vlan to be freed while\nwalking the list from the same path (br forward delay timer). Fix the rcu\nusage and also make sure we are not accessing freed memory by making\nbr_mst_vlan_set_state use rcu read lock.\n\n[1]\n WARNING: suspicious RCU usage\n 6.9.0-rc6-syzkaller #0 Not tainted\n -----------------------------\n net/bridge/br_private.h:1599 suspicious rcu_dereference_protected() usage!\n ...\n stack backtrace:\n CPU: 1 PID: 8017 Comm: syz-executor.1 Not tainted 6.9.0-rc6-syzkaller #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\n Call Trace:\n  <IRQ>\n  __dump_stack lib/dump_stack.c:88 [inline]\n  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n  lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712\n  nbp_vlan_group net/bridge/br_private.h:1599 [inline]\n  br_mst_set_state+0x1ea/0x650 net/bridge/br_mst.c:105\n  br_set_state+0x28a/0x7b0 net/bridge/br_stp.c:47\n  br_forward_delay_timer_expired+0x176/0x440 net/bridge/br_stp_timer.c:88\n  call_timer_fn+0x18e/0x650 kernel/time/timer.c:1793\n  expire_timers kernel/time/timer.c:1844 [inline]\n  __run_timers kernel/time/timer.c:2418 [inline]\n  __run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2429\n  run_timer_base kernel/time/timer.c:2438 [inline]\n  run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2448\n  __do_softirq+0x2c6/0x980 kernel/softirq.c:554\n  invoke_softirq kernel/softirq.c:428 [inline]\n  __irq_exit_rcu+0xf2/0x1c0 kernel/softirq.c:633\n  irq_exit_rcu+0x9/0x30 kernel/softirq.c:645\n  instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]\n  sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043\n  </IRQ>\n  <TASK>\n asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702\n RIP: 0010:lock_acquire+0x264/0x550 kernel/locking/lockdep.c:5758\n Code: 2b 00 74 08 4c 89 f7 e8 ba d1 84 00 f6 44 24 61 02 0f 85 85 01 00 00 41 f7 c7 00 02 00 00 74 01 fb 48 c7 44 24 40 0e 36 e0 45 <4b> c7 44 25 00 00 00 00 00 43 c7 44 25 09 00 00 00 00 43 c7 44 25\n RSP: 0018:ffffc90013657100 EFLAGS: 00000206\n RAX: 0000000000000001 RBX: 1ffff920026cae2c RCX: 0000000000000001\n RDX: dffffc0000000000 RSI: ffffffff8bcaca00 RDI: ffffffff8c1eaa60\n RBP: ffffc90013657260 R08: ffffffff92efe507 R09: 1ffffffff25dfca0\n R10: dffffc0000000000 R11: fffffbfff25dfca1 R12: 1ffff920026cae28\n R13: dffffc0000000000 R14: ffffc90013657160 R15: 0000000000000246"
                }
            ],
            "affected": [
                {
                    "product": "Linux",
                    "vendor": "Linux",
                    "defaultStatus": "unaffected",
                    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                    "programFiles": [
                        "net/bridge/br_mst.c"
                    ],
                    "versions": [
                        {
                            "version": "ec7328b59176",
                            "lessThan": "8ca9a750fc71",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "ec7328b59176",
                            "lessThan": "4488617e5e99",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "ec7328b59176",
                            "lessThan": "a2b01e65d9ba",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "ec7328b59176",
                            "lessThan": "e43dd2b1ec74",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "ec7328b59176",
                            "lessThan": "3a7c1661ae13",
                            "status": "affected",
                            "versionType": "git"
                        }
                    ]
                },
                {
                    "product": "Linux",
                    "vendor": "Linux",
                    "defaultStatus": "affected",
                    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                    "programFiles": [
                        "net/bridge/br_mst.c"
                    ],
                    "versions": [
                        {
                            "version": "5.18",
                            "status": "affected"
                        },
                        {
                            "version": "0",
                            "lessThan": "5.18",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "6.1.93",
                            "lessThanOrEqual": "6.1.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "6.6.33",
                            "lessThanOrEqual": "6.6.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "6.8.12",
                            "lessThanOrEqual": "6.8.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "6.9.3",
                            "lessThanOrEqual": "6.9.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "6.10",
                            "lessThanOrEqual": "*",
                            "status": "unaffected",
                            "versionType": "original_commit_for_fix"
                        }
                    ]
                }
            ],
            "references": [
                {
                    "url": "https://git.kernel.org/stable/c/8ca9a750fc711911ef616ceb627d07357b04545e"
                },
                {
                    "url": "https://git.kernel.org/stable/c/4488617e5e995a09abe4d81add5fb165674edb59"
                },
                {
                    "url": "https://git.kernel.org/stable/c/a2b01e65d9ba8af2bb086d3b7288ca53a07249ac"
                },
                {
                    "url": "https://git.kernel.org/stable/c/e43dd2b1ec746e105b7db5f9ad6ef14685a615a4"
                },
                {
                    "url": "https://git.kernel.org/stable/c/3a7c1661ae1383364cd6092d851f5e5da64d476b"
                }
            ],
            "title": "net: bridge: mst: fix vlan use-after-free",
            "x_generator": {
                "engine": "bippy-c9c4e1df01b2"
            }
        },
        "adp": [
            {
                "metrics": [
                    {
                        "other": {
                            "type": "ssvc",
                            "content": {
                                "timestamp": "2024-06-24T15:36:13.939816Z",
                                "id": "CVE-2024-36979",
                                "options": [
                                    {
                                        "Exploitation": "none"
                                    },
                                    {
                                        "Automatable": "no"
                                    },
                                    {
                                        "Technical Impact": "partial"
                                    }
                                ],
                                "role": "CISA Coordinator",
                                "version": "2.0.3"
                            }
                        }
                    }
                ],
                "title": "CISA ADP Vulnrichment",
                "providerMetadata": {
                    "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
                    "shortName": "CISA-ADP",
                    "dateUpdated": "2024-06-24T15:36:22.198Z"
                }
            },
            {
                "providerMetadata": {
                    "orgId": "af854a3a-2127-422b-91ae-364da2661108",
                    "shortName": "CVE",
                    "dateUpdated": "2024-08-02T03:43:50.547Z"
                },
                "title": "CVE Program Container",
                "references": [
                    {
                        "url": "https://git.kernel.org/stable/c/8ca9a750fc711911ef616ceb627d07357b04545e",
                        "tags": [
                            "x_transferred"
                        ]
                    },
                    {
                        "url": "https://git.kernel.org/stable/c/4488617e5e995a09abe4d81add5fb165674edb59",
                        "tags": [
                            "x_transferred"
                        ]
                    },
                    {
                        "url": "https://git.kernel.org/stable/c/a2b01e65d9ba8af2bb086d3b7288ca53a07249ac",
                        "tags": [
                            "x_transferred"
                        ]
                    },
                    {
                        "url": "https://git.kernel.org/stable/c/e43dd2b1ec746e105b7db5f9ad6ef14685a615a4",
                        "tags": [
                            "x_transferred"
                        ]
                    },
                    {
                        "url": "https://git.kernel.org/stable/c/3a7c1661ae1383364cd6092d851f5e5da64d476b",
                        "tags": [
                            "x_transferred"
                        ]
                    }
                ]
            }
        ]
    }
}