LiveActive security incident?Get immediate response
CVE Record

CVE-2024-36286: netfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu()

In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu() syzbot reported that nf_reinject() could be called without rcu_read_lock() : WARNING: suspicious RCU usage 6.9.0-rc7-syzkaller-02060-g5c1672705a1a #0 Not tainted net/netfilter/nfnetlink_queue.c:263 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 2 locks held by syz-executor.4/13427: #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline] #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_do_batch kernel/rcu/tree.c:2190 [inline] #0: ffffffff8e334f60 (rcu_callback){....}-{0:0}, at: rcu_core+0xa86/0x1830 kernel/rcu/tree.c:2471 #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline] #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: nfqnl_flush net/netfilter/nfnetlink_queue.c:405 [inline] #1: ffff88801ca92958 (&inst->lock){+.-.}-{2:2}, at: instance_destroy_rcu+0x30/0x220 net/netfilter/nfnetlink_queue.c:172 stack backtrace: CPU: 0 PID: 13427 Comm: syz-executor.4 Not tainted 6.9.0-rc7-syzkaller-02060-g5c1672705a1a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712 nf_reinject net/netfilter/nfnetlink_queue.c:323 [inline] nfqnl_reinject+0x6ec/0x1120 net/netfilter/nfnetlink_queue.c:397 nfqnl_flush net/netfilter/nfnetlink_queue.c:410 [inline] instance_destroy_rcu+0x1ae/0x220 net/netfilter/nfnetlink_queue.c:172 rcu_do_batch kernel/rcu/tree.c:2196 [inline] rcu_core+0xafd/0x1830 kernel/rcu/tree.c:2471 handle_softirqs+0x2d6/0x990 kernel/softirq.c:554 __do_softirq kernel/softirq.c:588 [inline] invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637 irq_exit_rcu+0x9/0x30 kernel/softirq.c:649 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043 </IRQ> <TASK>

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

This is a Linux kernel bug in the netfilter queue path. The public record shows a missing RCU read lock that syzbot detected during kernel testing. The source bundle does not provide CVSS, CWE, confirmed impact, or active exploitation, so business urgency should be driven by affected kernel presence and vendor advisories.

Executive priority

Treat this as a kernel maintenance item with uncertain severity. Prioritize systems that are externally exposed, security-critical, or vendor-managed appliances, but avoid emergency escalation unless your vendor rates it higher or reports exploitation.

Technical view

CVE-2024-36286 affects Linux kernel nfnetlink_queue. instance_destroy_rcu() could call nf_reinject() without holding rcu_read_lock(), producing suspicious RCU usage in net/netfilter/nfnetlink_queue.c. Linux stable commits are referenced as fixes across maintained branches. The record lists multiple affected kernel version lines but gives no exploit primitive or severity score.

Likely exposure

Exposure is likely limited to systems running affected Linux kernels, particularly where netfilter queue functionality is present or used. Debian LTS and Siemens advisories indicate downstream operating systems and products may need vendor-specific updates. The bundle does not prove remote reachability or default exploitability.

Exploitation context

The CVE is not listed as KEV in the provided bundle, and no cited source claims active exploitation. The evidence comes from syzbot kernel testing and stable kernel fixes. No public exploit status, attacker prerequisites, or reliable impact classification are provided here.

Researcher notes

The record lacks CVSS, CWE, and concrete impact. Analysis should stay close to the kernel patch and downstream advisories. Validate branch-specific fixed versions through the linked stable commits and vendor notices rather than extrapolating from the syzbot warning alone.

Mitigation direction

  • Upgrade affected Linux kernels through the operating system or product vendor update channel.
  • Track the referenced Linux stable commits for the maintained kernel branch in use.
  • Apply Debian LTS kernel updates where Debian LTS systems are in scope.
  • Review Siemens advisories for affected product-specific remediation guidance.
  • If patching is delayed, follow vendor guidance for compensating controls.

Validation and detection

  • Inventory Linux kernel versions across servers, appliances, and embedded products.
  • Compare installed kernels against vendor advisories and fixed stable branch updates.
  • Identify systems using netfilter queue or related firewall inspection components.
  • Confirm patched kernels include the applicable referenced stable commit.
  • Check vulnerability scanners for OS vendor advisories covering CVE-2024-36286.
Prepared
Confidence
medium
Sources
12

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2024-36286 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
3ADP providers
13Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
CISA-ADPCISA ADP Vulnrichment
other:ssvc
siemens-SADPADP container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux9872bec773c2e8503fec480c1e8a0c732517e257, 9872bec773c2e8503fec480c1e8a0c732517e257, 9872bec773c2e8503fec480c1e8a0c732517e257, 9872bec773c2e8503fec480c1e8a0c732517e257, 9872bec773c2e8503fec480c1e8a0c732517e257, 9872bec773c2e8503fec480c1e8a0c732517e257, 9872bec773c2e8503fec480c1e8a0c732517e257, 9872bec773c2e8503fec480c1e8a0c732517e257unaffected
LinuxLinux2.6.25, 0, 4.19.316, 5.4.278, 5.10.219, 5.15.161, 6.1.93, 6.6.33, 6.9.4, 6.10affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.