CVE-2024-36946 in Linuxinfo

Summary

by MITRE • 05/30/2024

In the Linux kernel, the following vulnerability has been resolved:

phonet: fix rtm_phonet_notify() skb allocation

fill_route() stores three components in the skb:

- struct rtmsg - RTA_DST (u8) - RTA_OIF (u32)

Therefore, rtm_phonet_notify() should use

NLMSG_ALIGN(sizeof(struct rtmsg)) + nla_total_size(1) + nla_total_size(4)

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 01/22/2026

The vulnerability CVE-2024-36946 addresses a critical memory allocation issue within the Linux kernel's phonet subsystem, which is responsible for handling phonet protocol communications. This flaw exists in the rtm_phonet_notify() function that manages notifications for phonet routing updates. The phonet protocol is a Linux kernel subsystem designed for communication between applications and network devices, particularly in mobile and embedded systems where efficient network communication is essential. The vulnerability stems from incorrect calculation of the required socket buffer (skb) size when constructing routing notification messages.

The technical flaw occurs in the fill_route() function which correctly identifies that three specific components must be stored in the socket buffer: the struct rtmsg routing message header, RTA_DST (a single byte destination address field), and RTA_OIF (a four-byte output interface field). However, the rtm_phonet_notify() function fails to properly account for this memory requirement when allocating the socket buffer, leading to insufficient memory allocation for the notification message. This improper allocation can result in memory corruption or buffer overflows when the system attempts to populate the routing information fields.

The operational impact of this vulnerability is significant as it can lead to system instability, potential denial of service conditions, or even arbitrary code execution if an attacker can manipulate the routing notification process. The phonet subsystem is commonly used in mobile devices and embedded systems where kernel memory corruption can severely impact device functionality. When the kernel attempts to construct routing notifications for phonet communications, the insufficient buffer allocation causes the system to write beyond allocated memory boundaries, potentially corrupting adjacent memory regions or triggering kernel panic conditions.

This vulnerability aligns with CWE-129, which describes improper validation of the length of input data, and specifically relates to improper calculation of buffer sizes in kernel memory management. The issue also connects to ATT&CK technique T1068, which involves the exploitation of privileges and kernel vulnerabilities for system compromise. The fix implemented addresses the root cause by ensuring proper memory allocation calculations that account for the exact size requirements of the routing message components. The solution requires using NLMSG_ALIGN(sizeof(struct rtmsg)) plus the appropriate nla_total_size calculations for each attribute type, specifically nla_total_size(1) for the one-byte RTA_DST field and nla_total_size(4) for the four-byte RTA_OIF field. This correction ensures that the socket buffer allocated is sufficient to accommodate all routing notification components without memory corruption.

The mitigation strategy involves applying the kernel patch that corrects the buffer size calculation in the rtm_phonet_notify() function. System administrators should prioritize updating their Linux kernel versions to include this fix, particularly in environments where phonet protocol usage is prevalent. Organizations using mobile devices, embedded systems, or network infrastructure that relies on phonet communications should conduct immediate vulnerability assessments and apply the necessary kernel updates. The fix represents a defensive programming approach that prevents buffer overflows by ensuring proper memory allocation before data population, following established kernel security best practices and reducing the attack surface for potential exploitation of kernel memory management flaws.

Sources

Interested in the pricing of exploits?

See the underground prices here!