CVE-2024-36025 in Linuxinfo

Summary

by MITRE • 05/30/2024

In the Linux kernel, the following vulnerability has been resolved:

scsi: qla2xxx: Fix off by one in qla_edif_app_getstats()

The app_reply->elem[] array is allocated earlier in this function and it
has app_req.num_ports elements. Thus this > comparison needs to be >= to prevent memory corruption.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 08/28/2025

The vulnerability identified as CVE-2024-36025 resides within the Linux kernel's SCSI subsystem, specifically affecting the qla2xxx driver that handles QLogic Fibre Channel HBAs. This driver is commonly used in enterprise storage environments where high-performance Fibre Channel connectivity is required for data center operations. The flaw manifests in the qla_edif_app_getstats() function which is responsible for retrieving statistics from the EDIF (Encryption, Decryption, and Integrity) application layer. The vulnerability represents a classic buffer overread condition that could potentially lead to memory corruption and system instability.

The technical flaw stems from an incorrect boundary check within the function where the code performs a greater than comparison instead of a greater than or equal comparison when iterating through the app_reply->elem[] array. This array is pre-allocated with app_req.num_ports elements, meaning the valid index range extends from 0 to app_req.num_ports-1. However, the current implementation uses a condition that allows iteration beyond this boundary, creating a scenario where the code attempts to access memory locations beyond the allocated array bounds. This off-by-one error directly violates fundamental memory safety principles and creates a potential attack vector for privilege escalation or denial of service conditions.

The operational impact of this vulnerability extends beyond simple memory corruption as it affects the reliability and stability of storage subsystems that depend on the qla2xxx driver. In enterprise environments where Fibre Channel storage arrays are critical for data availability, such a flaw could lead to unexpected system crashes, data integrity issues, or even allow malicious actors to exploit the memory corruption for privilege escalation attacks. The vulnerability is particularly concerning because it operates within kernel space where unauthorized access can result in complete system compromise. According to CWE classification, this represents a CWE-129: Improper Validation of Array Index, which is categorized under the broader weakness of improper input validation. The vulnerability aligns with ATT&CK technique T1068: Exploitation for Privilege Escalation, as memory corruption in kernel space often provides a pathway for escalating privileges.

Mitigation strategies for this vulnerability primarily involve applying the official kernel patch that corrects the boundary condition in the qla_edif_app_getstats() function. System administrators should prioritize updating their Linux kernel installations to versions that include this fix, particularly in production environments where the qla2xxx driver is actively used. The patch implementation requires careful testing in staging environments to ensure compatibility with existing storage configurations. Additionally, monitoring systems should be enhanced to detect anomalous behavior in storage subsystems that might indicate exploitation attempts. Organizations should also implement network segmentation and access controls around storage networks to limit potential attack surfaces. Regular vulnerability assessments should be conducted to identify any other similar boundary condition issues within the kernel's SCSI subsystem or other storage drivers. The fix demonstrates the importance of rigorous code review processes and automated testing for memory safety conditions in kernel space code.

Reservation

05/17/2024

Disclosure

05/30/2024

Moderation

accepted

CPE

ready

EPSS

0.00249

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!