CVE-2024-36288: SUNRPC: Fix loop termination condition in gss_free_in_token_pages()
In the Linux kernel, the following vulnerability has been resolved:
SUNRPC: Fix loop termination condition in gss_free_in_token_pages()
The in_token->pages[] array is not NULL terminated. This results in
the following KASAN splat:
KASAN: maybe wild-memory-access in range [0x04a2013400000008-0x04a201340000000f]
Security readout for executives and security teams
Plain-English summary
CVE-2024-36288 is a Linux kernel SUNRPC memory-handling bug. The kernel may read past an internal pages array because code assumed NULL termination that is not present. The supplied sources do not provide CVSS, impact rating, or confirmed exploitation, so urgency should be driven by Linux kernel exposure and vendor advisories.
Executive priority
Treat this as a kernel patch management item with uncertain severity. Prioritize internet-facing, appliance, and NFS/SUNRPC-dependent systems first, but do not claim emergency exploitation without new vendor or KEV evidence.
Technical view
The flaw is in gss_free_in_token_pages() in SUNRPC. in_token->pages[] is not NULL terminated, causing an incorrect loop termination condition and a KASAN wild-memory-access report. Kernel stable commits are referenced as fixes, but the bundle does not fully describe affected release ranges or attacker prerequisites.
Likely exposure
Potentially exposed systems are those running Linux kernels with the vulnerable SUNRPC GSS code. Exposure is more plausible where SUNRPC, NFS, or RPCSEC_GSS functionality is enabled. Debian LTS and Siemens advisories indicate downstream vendor relevance, but exact affected product and version mapping is incomplete in the bundle.
Exploitation context
The bundle marks KEV as false and provides no cited evidence of active exploitation or public exploit availability. It also does not establish whether exploitation requires local access, network reachability, authentication, or a specific SUNRPC configuration.
Researcher notes
Key unknowns are exploitability, privilege requirements, and affected release boundaries. The strongest evidence is the Linux kernel fix description and downstream advisory references. Validate against vendor kernels rather than assuming mainline commit hashes map directly to packaged builds.
Mitigation direction
Apply Linux kernel updates from the relevant OS or appliance vendor.
Review Debian LTS and Siemens advisories for product-specific fixed versions.
Track the referenced Linux stable commits in vendor kernel changelogs.
If patching is delayed, follow vendor guidance for limiting SUNRPC or NFS exposure.
Validation and detection
Inventory Linux kernel versions across servers, appliances, and embedded systems.
Identify systems using SUNRPC, NFS, or RPCSEC_GSS functionality.
Confirm installed kernels include vendor fixes or referenced stable commits.
Check Debian and Siemens advisories for matching products and packages.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2024-36288 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.