CVE-2024-36489: tls: fix missing memory barrier in tls_init
In the Linux kernel, the following vulnerability has been resolved:
tls: fix missing memory barrier in tls_init
In tls_init(), a write memory barrier is missing, and store-store
reordering may cause NULL dereference in tls_{setsockopt,getsockopt}.
CPU0 CPU1
----- -----
// In tls_init()
// In tls_ctx_create()
ctx = kzalloc()
ctx->sk_proto = READ_ONCE(sk->sk_prot) -(1)
// In update_sk_prot()
WRITE_ONCE(sk->sk_prot, tls_prots) -(2)
// In sock_common_setsockopt()
READ_ONCE(sk->sk_prot)->setsockopt()
// In tls_{setsockopt,getsockopt}()
ctx->sk_proto->setsockopt() -(3)
In the above scenario, when (1) and (2) are reordered, (3) can observe
the NULL value of ctx->sk_proto, causing NULL dereference.
To fix it, we rely on rcu_assign_pointer() which implies the release
barrier semantic. By moving rcu_assign_pointer() after ctx->sk_proto is
initialized, we can ensure that ctx->sk_proto are visible when
changing sk->sk_prot.
Security readout for executives and security teams
Plain-English summary
CVE-2024-36489 is a Linux kernel flaw in kernel TLS initialization. A missing memory ordering safeguard can leave internal socket state inconsistent, causing a NULL pointer dereference. The likely business impact is system or service instability rather than confirmed data theft. The source bundle reports no KEV listing and no active exploitation evidence.
Executive priority
Schedule remediation through normal kernel patch cycles, with higher urgency for critical availability systems. There is no sourced evidence of active exploitation, but kernel NULL dereferences can still create operational disruption if reachable.
Technical view
The flaw is in tls_init(). Store-store reordering may publish sk->sk_prot before ctx->sk_proto is initialized. Later tls_setsockopt or tls_getsockopt can dereference a NULL ctx->sk_proto. The fix moves rcu_assign_pointer() after ctx->sk_proto initialization, relying on release-barrier semantics.
Likely exposure
Exposure is most likely on Linux systems running affected kernel builds where kernel TLS socket paths are reachable. The bundle lists Linux as affected and references stable kernel fixes. It does not provide distribution-specific package status or detailed Siemens product impact.
Exploitation context
The provided sources describe a race/order bug leading to NULL dereference. They do not state remote exploitability, privilege requirements, public exploit availability, or active exploitation. KEV is false, so treat this as a patch-management issue unless vendor guidance says otherwise.
Researcher notes
The key issue is publication ordering in tls_init(), not a protocol parsing defect. Validate exposure by kernel lineage and vendor backports rather than version strings alone. The bundle lacks CVSS, CWE, exploitability details, and distro advisories, so avoid over-scoping impact.
Mitigation direction
Update affected Linux kernels to versions containing the referenced stable fixes.
Check your Linux distribution advisory for backported patch status.
Review Siemens advisories if you operate referenced Siemens environments.
Prioritize internet-facing or availability-sensitive Linux systems first.
Reboot systems if the kernel update requires it.
Validation and detection
Inventory Linux kernel versions across servers, appliances, and embedded systems.
Map installed kernels against vendor advisories and fixed stable commits.
Confirm whether kernel TLS functionality is enabled or used.
Verify patched kernels are active after maintenance windows.
Document exceptions with vendor guidance and compensating monitoring.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2024-36489 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.