LiveActive security incident?Get immediate response
CVE Record

CVE-2024-36959: pinctrl: devicetree: fix refcount leak in pinctrl_dt_to_map()

In the Linux kernel, the following vulnerability has been resolved: pinctrl: devicetree: fix refcount leak in pinctrl_dt_to_map() If we fail to allocate propname buffer, we need to drop the reference count we just took. Because the pinctrl_dt_free_maps() includes the droping operation, here we call it directly.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

This is a Linux kernel resource-management bug in pin control device-tree handling. The source describes a reference-count leak when an allocation fails. Business impact is unclear because no CVSS, CWE, or exploitation evidence is provided, but kernel defects can matter for appliances, embedded systems, and servers running affected kernel branches.

Executive priority

Treat this as a normal kernel patch-management item unless a vendor advisory raises product-specific urgency. There is no evidence here of active exploitation or known business impact, but affected kernels should still be remediated through routine update cycles.

Technical view

The flaw is in pinctrl_dt_to_map(). If allocation of the propname buffer fails, the code had already taken a reference and did not drop it. The upstream fix calls pinctrl_dt_free_maps() on that failure path so the reference is released consistently.

Likely exposure

Exposure depends on Linux kernel version and whether the platform uses device-tree pinctrl paths. The source lists Linux as affected and references stable kernel fixes plus Debian LTS advisories. Siemens advisories indicate downstream product tracking, but affected Siemens products are not detailed in the provided bundle.

Exploitation context

The bundle does not show CISA KEV listing, active exploitation, public exploit use, or a scored impact. The described condition is an allocation-failure cleanup bug, so practical exploitability and attacker control are not established from the provided evidence.

Researcher notes

The strongest evidence is the upstream stable fix description. Missing CVSS, CWE, triggerability details, and exploit evidence limit risk scoring. Focus validation on whether the target kernel includes the specific cleanup-path fix rather than relying only on version names.

Mitigation direction

  • Identify Linux kernel versions across servers, appliances, embedded devices, and vendor-managed products.
  • Apply vendor kernel updates that include the referenced stable fixes.
  • Review Debian LTS advisories if using Debian-based systems.
  • Check Siemens ProductCERT advisories for affected Siemens-managed environments.
  • Prioritize internet-exposed or safety-critical devices after vendor confirmation.

Validation and detection

  • Compare running kernel versions against vendor advisories and fixed stable branch releases.
  • Confirm patched kernels include the referenced pinctrl devicetree fix commits.
  • Review SBOMs or asset inventories for Linux-based embedded and appliance systems.
  • Check vendor notices for backported fixes with unchanged kernel version strings.
  • Document systems where device-tree pinctrl usage cannot be confirmed.
Prepared
Confidence
medium
Sources
12

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2024-36959 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
3ADP providers
13Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
CISA-ADPCISA ADP Vulnrichment
other:ssvc
siemens-SADPADP container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxa988dcd3dd9e691c5ccc3324b209688f3b5453e9, 040f726fecd88121f3b95e70369785ad452dddf9, 777430aa4ddccaa5accec6db90ffc1d47f00d471, 97e5b508e96176f1a73888ed89df396d7041bfcb, 91d5c5060ee24fe8da88cd585bb43b843d2f0dce, 91d5c5060ee24fe8da88cd585bb43b843d2f0dce, 91d5c5060ee24fe8da88cd585bb43b843d2f0dce, 91d5c5060ee24fe8da88cd585bb43b843d2f0dce, aaf552c5d53abe4659176e099575fe870d2e4768, b4d9f55cd38435358bc16d580612bc0d798d7b4c, 5834a3a98cd266ad35a229923c0adbd0addc8d68unaffected
LinuxLinux6.1, 0, 4.19.314, 5.4.276, 5.10.217, 5.15.159, 6.1.91, 6.6.31, 6.8.10, 6.9affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.