LiveActive security incident?Get immediate response
CVE Record

CVE-2024-36489: tls: fix missing memory barrier in tls_init

In the Linux kernel, the following vulnerability has been resolved: tls: fix missing memory barrier in tls_init In tls_init(), a write memory barrier is missing, and store-store reordering may cause NULL dereference in tls_{setsockopt,getsockopt}. CPU0 CPU1 ----- ----- // In tls_init() // In tls_ctx_create() ctx = kzalloc() ctx->sk_proto = READ_ONCE(sk->sk_prot) -(1) // In update_sk_prot() WRITE_ONCE(sk->sk_prot, tls_prots) -(2) // In sock_common_setsockopt() READ_ONCE(sk->sk_prot)->setsockopt() // In tls_{setsockopt,getsockopt}() ctx->sk_proto->setsockopt() -(3) In the above scenario, when (1) and (2) are reordered, (3) can observe the NULL value of ctx->sk_proto, causing NULL dereference. To fix it, we rely on rcu_assign_pointer() which implies the release barrier semantic. By moving rcu_assign_pointer() after ctx->sk_proto is initialized, we can ensure that ctx->sk_proto are visible when changing sk->sk_prot.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2024-36489 is a Linux kernel flaw in kernel TLS initialization. A missing memory ordering safeguard can leave internal socket state inconsistent, causing a NULL pointer dereference. The likely business impact is system or service instability rather than confirmed data theft. The source bundle reports no KEV listing and no active exploitation evidence.

Executive priority

Schedule remediation through normal kernel patch cycles, with higher urgency for critical availability systems. There is no sourced evidence of active exploitation, but kernel NULL dereferences can still create operational disruption if reachable.

Technical view

The flaw is in tls_init(). Store-store reordering may publish sk->sk_prot before ctx->sk_proto is initialized. Later tls_setsockopt or tls_getsockopt can dereference a NULL ctx->sk_proto. The fix moves rcu_assign_pointer() after ctx->sk_proto initialization, relying on release-barrier semantics.

Likely exposure

Exposure is most likely on Linux systems running affected kernel builds where kernel TLS socket paths are reachable. The bundle lists Linux as affected and references stable kernel fixes. It does not provide distribution-specific package status or detailed Siemens product impact.

Exploitation context

The provided sources describe a race/order bug leading to NULL dereference. They do not state remote exploitability, privilege requirements, public exploit availability, or active exploitation. KEV is false, so treat this as a patch-management issue unless vendor guidance says otherwise.

Researcher notes

The key issue is publication ordering in tls_init(), not a protocol parsing defect. Validate exposure by kernel lineage and vendor backports rather than version strings alone. The bundle lacks CVSS, CWE, exploitability details, and distro advisories, so avoid over-scoping impact.

Mitigation direction

  • Update affected Linux kernels to versions containing the referenced stable fixes.
  • Check your Linux distribution advisory for backported patch status.
  • Review Siemens advisories if you operate referenced Siemens environments.
  • Prioritize internet-facing or availability-sensitive Linux systems first.
  • Reboot systems if the kernel update requires it.

Validation and detection

  • Inventory Linux kernel versions across servers, appliances, and embedded systems.
  • Map installed kernels against vendor advisories and fixed stable commits.
  • Confirm whether kernel TLS functionality is enabled or used.
  • Verify patched kernels are active after maintenance windows.
  • Document exceptions with vendor guidance and compensating monitoring.
Prepared
Confidence
medium
Sources
10

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2024-36489 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
3ADP providers
9Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
CISA-ADPCISA ADP Vulnrichment
other:ssvc
siemens-SADPADP container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxd5bee7374b68de3c44586d46e9e61ffc97a1e886, d5bee7374b68de3c44586d46e9e61ffc97a1e886, d5bee7374b68de3c44586d46e9e61ffc97a1e886, d5bee7374b68de3c44586d46e9e61ffc97a1e886, d5bee7374b68de3c44586d46e9e61ffc97a1e886, d5bee7374b68de3c44586d46e9e61ffc97a1e886unaffected
LinuxLinux5.7, 0, 5.10.219, 5.15.161, 6.1.93, 6.6.33, 6.9.4, 6.10affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.