CVE-2020-36791 in Linux
Summary
by MITRE • 05/07/2025
In the Linux kernel, the following vulnerability has been resolved:
net_sched: keep alloc_hash updated after hash allocation
In commit 599be01ee567 ("net_sched: fix an OOB access in cls_tcindex") I moved cp->hash calculation before the first tcindex_alloc_perfect_hash(), but cp->alloc_hash is left untouched. This difference could lead to another out of bound access.
cp->alloc_hash should always be the size allocated, we should update it after this tcindex_alloc_perfect_hash().
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 11/10/2025
The vulnerability described in CVE-2020-36791 represents a critical flaw in the Linux kernel's traffic control subsystem, specifically within the net_sched component that manages packet scheduling and classification. This issue manifests as an out-of-bounds memory access condition that can potentially lead to system instability or privilege escalation. The vulnerability stems from a logical error in the tcindex classification algorithm implementation where the kernel fails to properly maintain consistency between allocated hash table sizes and their corresponding metadata tracking variables. The flaw was introduced during a previous fix attempt for a similar out-of-bounds access issue, creating a regression that compounds the original problem rather than resolving it completely.
The technical root cause involves improper synchronization between memory allocation and metadata management within the traffic control framework. When the kernel processes packet classification requests using the tcindex classifier, it dynamically allocates hash tables to optimize lookup performance. However, the implementation fails to update the cp->alloc_hash variable after successful hash allocation, creating a mismatch between the actual allocated memory size and the tracked size value. This inconsistency occurs because the code moves the cp->hash calculation before the tcindex_alloc_perfect_hash() function call but neglects to update cp->alloc_hash afterward, leaving the metadata in an inconsistent state. The flaw directly violates the principle of proper resource management and memory consistency that is fundamental to secure kernel operation.
The operational impact of this vulnerability extends beyond simple memory corruption, potentially enabling attackers to exploit the out-of-bounds access for privilege escalation or denial-of-service attacks. When the traffic control subsystem processes network packets with specific classification patterns, the inconsistent hash table tracking can cause the kernel to access memory regions outside the allocated bounds. This could result in kernel memory corruption, leading to system crashes, data loss, or in severe cases, allowing malicious actors to execute arbitrary code with kernel privileges. The vulnerability affects systems running Linux kernels that include the problematic commit, particularly those utilizing advanced traffic control features such as quality of service management, network shaping, or packet classification policies that rely on the tcindex classifier.
Mitigation strategies for this vulnerability require immediate kernel updates to the patched version that correctly synchronizes the cp->alloc_hash variable with actual hash table allocations. System administrators should prioritize applying the relevant security patches from their kernel distribution vendors, as the fix involves correcting the memory management logic in the net_sched subsystem. Additionally, monitoring network traffic patterns that heavily utilize traffic control features can help identify potential exploitation attempts. Organizations should also consider implementing network segmentation and access controls to limit exposure, while maintaining regular security audits of kernel components. The vulnerability aligns with CWE-121, heap-based buffer overflow, and could be categorized under ATT&CK technique T1068 for local privilege escalation, making it a critical security concern for enterprise environments relying on Linux-based networking infrastructure.