CVE-2024-36959: pinctrl: devicetree: fix refcount leak in pinctrl_dt_to_map()
In the Linux kernel, the following vulnerability has been resolved:
pinctrl: devicetree: fix refcount leak in pinctrl_dt_to_map()
If we fail to allocate propname buffer, we need to drop the reference
count we just took. Because the pinctrl_dt_free_maps() includes the
droping operation, here we call it directly.
Security readout for executives and security teams
Plain-English summary
This is a Linux kernel resource-management bug in pin control device-tree handling. The source describes a reference-count leak when an allocation fails. Business impact is unclear because no CVSS, CWE, or exploitation evidence is provided, but kernel defects can matter for appliances, embedded systems, and servers running affected kernel branches.
Executive priority
Treat this as a normal kernel patch-management item unless a vendor advisory raises product-specific urgency. There is no evidence here of active exploitation or known business impact, but affected kernels should still be remediated through routine update cycles.
Technical view
The flaw is in pinctrl_dt_to_map(). If allocation of the propname buffer fails, the code had already taken a reference and did not drop it. The upstream fix calls pinctrl_dt_free_maps() on that failure path so the reference is released consistently.
Likely exposure
Exposure depends on Linux kernel version and whether the platform uses device-tree pinctrl paths. The source lists Linux as affected and references stable kernel fixes plus Debian LTS advisories. Siemens advisories indicate downstream product tracking, but affected Siemens products are not detailed in the provided bundle.
Exploitation context
The bundle does not show CISA KEV listing, active exploitation, public exploit use, or a scored impact. The described condition is an allocation-failure cleanup bug, so practical exploitability and attacker control are not established from the provided evidence.
Researcher notes
The strongest evidence is the upstream stable fix description. Missing CVSS, CWE, triggerability details, and exploit evidence limit risk scoring. Focus validation on whether the target kernel includes the specific cleanup-path fix rather than relying only on version names.
Mitigation direction
Identify Linux kernel versions across servers, appliances, embedded devices, and vendor-managed products.
Apply vendor kernel updates that include the referenced stable fixes.
Review Debian LTS advisories if using Debian-based systems.
Check Siemens ProductCERT advisories for affected Siemens-managed environments.
Prioritize internet-exposed or safety-critical devices after vendor confirmation.
Validation and detection
Compare running kernel versions against vendor advisories and fixed stable branch releases.
Confirm patched kernels include the referenced pinctrl devicetree fix commits.
Review SBOMs or asset inventories for Linux-based embedded and appliance systems.
Check vendor notices for backported fixes with unchanged kernel version strings.
Document systems where device-tree pinctrl usage cannot be confirmed.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2024-36959 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.