CVE-2024-36961 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved: thermal/debugfs: Fix two locking issues with thermal zone debug With the current thermal zone locking arrangement in the debugfs code, user space can open the "mitigations" file for a thermal zone before the zone's debugfs pointer is set which will result in a NULL pointer dereference in tze_seq_start(). Moreover, thermal_debug_tz_remove() is not called under the thermal zone lock, so it can run in parallel with the other functions accessing the thermal zone's struct thermal_debugfs object. Then, it may clear tz->debugfs after one of those functions has checked it and the struct thermal_debugfs object may be freed prematurely. To address the first problem, pass a pointer to the thermal zone's struct thermal_debugfs object to debugfs_create_file() in thermal_debug_tz_add() and make tze_seq_start(), tze_seq_next(), tze_seq_stop(), and tze_seq_show() retrieve it from s->private instead of a pointer to the thermal zone object. This will ensure that tz_debugfs will be valid across the "mitigations" file accesses until thermal_debugfs_remove_id() called by thermal_debug_tz_remove() removes that file. To address the second problem, use tz->lock in thermal_debug_tz_remove() around the tz->debugfs value check (in case the same thermal zone is removed at the same time in two different threads) and its reset to NULL. Cc :6.8+ <stable@vger.kernel.org> # 6.8+

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Redhat	Enterprise Linux

No data.

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 9
kernel-0:5.14.0-503.11.1.el9_5	cpe:/a:redhat:enterprise_linux:9	RHSA-2024:9315	2024-11-12T00:00:00Z
kernel-0:5.14.0-503.11.1.el9_5	cpe:/o:redhat:enterprise_linux:9	RHSA-2024:9315	2024-11-12T00:00:00Z

References

Link	Providers
https://git.kernel.org/stable/c/6c57bdd0505422d5ccd2df541d993aec978c842e
https://git.kernel.org/stable/c/c7f7c37271787a7f77d7eedc132b0b419a76b4c8
https://lore.kernel.org/linux-cve-announce/2024060344-CVE-2024-36961-58bb@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2024-36961
https://www.cve.org/CVERecord?id=CVE-2024-36961

History

Sat, 12 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00103}`	epss `{'score': 0.0005}`

Wed, 13 Nov 2024 02:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat Redhat enterprise Linux
CPEs		cpe:/a:redhat:enterprise_linux:9 cpe:/o:redhat:enterprise_linux:9
Vendors & Products		Redhat Redhat enterprise Linux

Tue, 05 Nov 2024 10:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 11 Sep 2024 18:30:00 +0000

Type	Values Removed	Values Added
Metrics	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 11 Sep 2024 13:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-06-03T07:49:59.621Z

Updated: 2025-05-04T09:12:53.485Z

Reserved: 2024-05-30T15:25:07.081Z

Link: CVE-2024-36961

Vulnrichment

Updated: 2024-08-02T03:43:50.481Z

NVD

Status : Awaiting Analysis

Published: 2024-06-03T08:15:09.660

Modified: 2024-11-21T09:22:54.983

Link: CVE-2024-36961

Redhat

Severity : Low

Publid Date: 2024-06-03T00:00:00Z

Links: CVE-2024-36961 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-36961", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-05-30T15:25:07.081Z", "datePublished": "2024-06-03T07:49:59.621Z", "dateUpdated": "2025-05-04T09:12:53.485Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T09:12:53.485Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/debugfs: Fix two locking issues with thermal zone debug\n\nWith the current thermal zone locking arrangement in the debugfs code,\nuser space can open the \"mitigations\" file for a thermal zone before\nthe zone's debugfs pointer is set which will result in a NULL pointer\ndereference in tze_seq_start().\n\nMoreover, thermal_debug_tz_remove() is not called under the thermal\nzone lock, so it can run in parallel with the other functions accessing\nthe thermal zone's struct thermal_debugfs object. Then, it may clear\ntz->debugfs after one of those functions has checked it and the\nstruct thermal_debugfs object may be freed prematurely.\n\nTo address the first problem, pass a pointer to the thermal zone's\nstruct thermal_debugfs object to debugfs_create_file() in\nthermal_debug_tz_add() and make tze_seq_start(), tze_seq_next(),\ntze_seq_stop(), and tze_seq_show() retrieve it from s->private\ninstead of a pointer to the thermal zone object. This will ensure\nthat tz_debugfs will be valid across the \"mitigations\" file accesses\nuntil thermal_debugfs_remove_id() called by thermal_debug_tz_remove()\nremoves that file.\n\nTo address the second problem, use tz->lock in thermal_debug_tz_remove()\naround the tz->debugfs value check (in case the same thermal zone is\nremoved at the same time in two different threads) and its reset to NULL.\n\nCc :6.8+ <stable@vger.kernel.org> # 6.8+"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/thermal/thermal_debugfs.c"], "versions": [{"version": "7ef01f228c9f54c6260319858be138a8a7e9e704", "lessThan": "6c57bdd0505422d5ccd2df541d993aec978c842e", "status": "affected", "versionType": "git"}, {"version": "7ef01f228c9f54c6260319858be138a8a7e9e704", "lessThan": "c7f7c37271787a7f77d7eedc132b0b419a76b4c8", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/thermal/thermal_debugfs.c"], "versions": [{"version": "6.8", "status": "affected"}, {"version": "0", "lessThan": "6.8", "status": "unaffected", "versionType": "semver"}, {"version": "6.8.10", "lessThanOrEqual": "6.8.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.9", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.8.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.9"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/6c57bdd0505422d5ccd2df541d993aec978c842e"}, {"url": "https://git.kernel.org/stable/c/c7f7c37271787a7f77d7eedc132b0b419a76b4c8"}], "title": "thermal/debugfs: Fix two locking issues with thermal zone debug", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:43:50.481Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/6c57bdd0505422d5ccd2df541d993aec978c842e", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/c7f7c37271787a7f77d7eedc132b0b419a76b4c8", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-36961", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T17:15:32.309097Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:34:59.071Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/6c57bdd0505422d5ccd2df541d993aec978c842e", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/c7f7c37271787a7f77d7eedc132b0b419a76b4c8", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:43:50.481Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-36961", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T17:15:32.309097Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:27.311Z"}}], "cna": {"title": "thermal/debugfs: Fix two locking issues with thermal zone debug", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "7ef01f228c9f54c6260319858be138a8a7e9e704", "lessThan": "6c57bdd0505422d5ccd2df541d993aec978c842e", "versionType": "git"}, {"status": "affected", "version": "7ef01f228c9f54c6260319858be138a8a7e9e704", "lessThan": "c7f7c37271787a7f77d7eedc132b0b419a76b4c8", "versionType": "git"}], "programFiles": ["drivers/thermal/thermal_debugfs.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6.8"}, {"status": "unaffected", "version": "0", "lessThan": "6.8", "versionType": "semver"}, {"status": "unaffected", "version": "6.8.10", "versionType": "semver", "lessThanOrEqual": "6.8.*"}, {"status": "unaffected", "version": "6.9", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["drivers/thermal/thermal_debugfs.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/6c57bdd0505422d5ccd2df541d993aec978c842e"}, {"url": "https://git.kernel.org/stable/c/c7f7c37271787a7f77d7eedc132b0b419a76b4c8"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/debugfs: Fix two locking issues with thermal zone debug\n\nWith the current thermal zone locking arrangement in the debugfs code,\nuser space can open the \"mitigations\" file for a thermal zone before\nthe zone's debugfs pointer is set which will result in a NULL pointer\ndereference in tze_seq_start().\n\nMoreover, thermal_debug_tz_remove() is not called under the thermal\nzone lock, so it can run in parallel with the other functions accessing\nthe thermal zone's struct thermal_debugfs object. Then, it may clear\ntz->debugfs after one of those functions has checked it and the\nstruct thermal_debugfs object may be freed prematurely.\n\nTo address the first problem, pass a pointer to the thermal zone's\nstruct thermal_debugfs object to debugfs_create_file() in\nthermal_debug_tz_add() and make tze_seq_start(), tze_seq_next(),\ntze_seq_stop(), and tze_seq_show() retrieve it from s->private\ninstead of a pointer to the thermal zone object. This will ensure\nthat tz_debugfs will be valid across the \"mitigations\" file accesses\nuntil thermal_debugfs_remove_id() called by thermal_debug_tz_remove()\nremoves that file.\n\nTo address the second problem, use tz->lock in thermal_debug_tz_remove()\naround the tz->debugfs value check (in case the same thermal zone is\nremoved at the same time in two different threads) and its reset to NULL.\n\nCc :6.8+ <stable@vger.kernel.org> # 6.8+"}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.8.10", "versionStartIncluding": "6.8"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.9", "versionStartIncluding": "6.8"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T09:12:53.485Z"}}}, "cveMetadata": {"cveId": "CVE-2024-36961", "state": "PUBLISHED", "dateUpdated": "2025-05-04T09:12:53.485Z", "dateReserved": "2024-05-30T15:25:07.081Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-06-03T07:49:59.621Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/debugfs: Fix two locking issues with thermal zone debug\n\nWith the current thermal zone locking arrangement in the debugfs code,\nuser space can open the \"mitigations\" file for a thermal zone before\nthe zone's debugfs pointer is set which will result in a NULL pointer\ndereference in tze_seq_start().\n\nMoreover, thermal_debug_tz_remove() is not called under the thermal\nzone lock, so it can run in parallel with the other functions accessing\nthe thermal zone's struct thermal_debugfs object. Then, it may clear\ntz->debugfs after one of those functions has checked it and the\nstruct thermal_debugfs object may be freed prematurely.\n\nTo address the first problem, pass a pointer to the thermal zone's\nstruct thermal_debugfs object to debugfs_create_file() in\nthermal_debug_tz_add() and make tze_seq_start(), tze_seq_next(),\ntze_seq_stop(), and tze_seq_show() retrieve it from s->private\ninstead of a pointer to the thermal zone object. This will ensure\nthat tz_debugfs will be valid across the \"mitigations\" file accesses\nuntil thermal_debugfs_remove_id() called by thermal_debug_tz_remove()\nremoves that file.\n\nTo address the second problem, use tz->lock in thermal_debug_tz_remove()\naround the tz->debugfs value check (in case the same thermal zone is\nremoved at the same time in two different threads) and its reset to NULL.\n\nCc :6.8+ <stable@vger.kernel.org> # 6.8+"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Thermal/debugfs: soluciona dos problemas de bloqueo con la depuraci\u00f3n de la zona t\u00e9rmica. Con la disposici\u00f3n actual de bloqueo de la zona t\u00e9rmica en el c\u00f3digo debugfs, el espacio de usuario puede abrir el archivo de \"mitigaciones\" para una zona t\u00e9rmica antes. El puntero debugfs de la zona est\u00e1 configurado, lo que dar\u00e1 como resultado una desreferencia del puntero NULL en tze_seq_start(). Adem\u00e1s, Thermal_debug_tz_remove() no se llama bajo el bloqueo de la zona t\u00e9rmica, por lo que puede ejecutarse en paralelo con las otras funciones que acceden al objeto struct Thermal_debugfs de la zona t\u00e9rmica. Luego, puede borrar tz->debugfs despu\u00e9s de que una de esas funciones lo haya verificado y el objeto struct Thermal_debugfs puede liberarse prematuramente. Para solucionar el primer problema, pase un puntero al objeto struct Thermal_debugfs de la zona t\u00e9rmica para debugfs_create_file() en Thermal_debug_tz_add() y haga que tze_seq_start(), tze_seq_next(), tze_seq_stop() y tze_seq_show() lo recuperen de s->private. de un puntero al objeto de la zona t\u00e9rmica. Esto garantizar\u00e1 que tz_debugfs sea v\u00e1lido en todos los accesos a archivos de \"mitigaciones\" hasta que Thermal_debugfs_remove_id() llamado por Thermal_debug_tz_remove() elimine ese archivo. Para solucionar el segundo problema, use tz->lock en Thermal_debug_tz_remove() alrededor de la verificaci\u00f3n del valor de tz->debugfs (en caso de que la misma zona t\u00e9rmica se elimine al mismo tiempo en dos subprocesos diferentes) y se restablezca a NULL. CC :6.8+ # 6.8+"}], "id": "CVE-2024-36961", "lastModified": "2024-11-21T09:22:54.983", "metrics": {}, "published": "2024-06-03T08:15:09.660", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6c57bdd0505422d5ccd2df541d993aec978c842e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c7f7c37271787a7f77d7eedc132b0b419a76b4c8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/6c57bdd0505422d5ccd2df541d993aec978c842e"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/c7f7c37271787a7f77d7eedc132b0b419a76b4c8"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"affected_release": [{"advisory": "RHSA-2024:9315", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-503.11.1.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-11-12T00:00:00Z"}, {"advisory": "RHSA-2024:9315", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-503.11.1.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-11-12T00:00:00Z"}], "bugzilla": {"description": "kernel: thermal/debugfs: Fix two locking issues with thermal zone debug", "id": "2290407", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2290407"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.4", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-667", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nthermal/debugfs: Fix two locking issues with thermal zone debug\nWith the current thermal zone locking arrangement in the debugfs code,\nuser space can open the \"mitigations\" file for a thermal zone before\nthe zone's debugfs pointer is set which will result in a NULL pointer\ndereference in tze_seq_start().\nMoreover, thermal_debug_tz_remove() is not called under the thermal\nzone lock, so it can run in parallel with the other functions accessing\nthe thermal zone's struct thermal_debugfs object. Then, it may clear\ntz->debugfs after one of those functions has checked it and the\nstruct thermal_debugfs object may be freed prematurely.\nTo address the first problem, pass a pointer to the thermal zone's\nstruct thermal_debugfs object to debugfs_create_file() in\nthermal_debug_tz_add() and make tze_seq_start(), tze_seq_next(),\ntze_seq_stop(), and tze_seq_show() retrieve it from s->private\ninstead of a pointer to the thermal zone object. This will ensure\nthat tz_debugfs will be valid across the \"mitigations\" file accesses\nuntil thermal_debugfs_remove_id() called by thermal_debug_tz_remove()\nremoves that file.\nTo address the second problem, use tz->lock in thermal_debug_tz_remove()\naround the tz->debugfs value check (in case the same thermal zone is\nremoved at the same time in two different threads) and its reset to NULL.\nCc :6.8+ <stable@vger.kernel.org> # 6.8+"], "name": "CVE-2024-36961", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-06-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-36961\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-36961\nhttps://lore.kernel.org/linux-cve-announce/2024060344-CVE-2024-36961-58bb@gregkh/T"], "threat_severity": "Low"}

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object