CVE-2024-36939 in Linux
Riassunto
di VulDB • 19/06/2026
This is a Linux kernel crash (Oops/Panic) trace. Here is a breakdown of the issue:
### **1. Summary** - **Trigger:** A user-space process called `unshare()` (specifically `SYS_unshare`, syscall number `0x110`), likely to create a new network namespace. - **Crash Location:** `rpc_proc_unregister` in `net/sunrpc/stats.c`. - **Root Cause:** A **Use-After-Free (UAF)** or **Race Condition** in the NFS/SunRPC subsystem during network namespace cleanup. The kernel tried to unregister an RPC procedure that had already been freed or was in an inconsistent state.
---
### **2. Call Trace Analysis** ``` rpc_proc_unregister+0x64/0x70 net/sunrpc/stats.c:310 → This is where the crash occurred. nfs_net_exit+0x1c/0x30 fs/nfs/inode.c:2438 → The NFS network namespace exit function is running. ops_exit_list+0x62/0xb0 net/core/net_namespace.c:170 → General net namespace cleanup. setup_net+0x46c/0x660 net/core/net_namespace.c:372 → Setting up a new network namespace. copy_net_ns+0x244/0x590 net/core/net_namespace.c:505 → Copying the network namespace (part of unshare). create_new_namespaces+0x2ed/0x770 kernel/nsproxy.c:110 → Creating new namespaces. unshare_nsproxy_namespaces+0xae/0x160 kernel/nsproxy.c:228 → Unsharing namespace proxies. ksys_unshare+0x342/0x760 kernel/fork.c:3322 → System call entry for unshare. __do_sys_unshare kernel/fork.c:3393 [inline]
__se_sys_unshare kernel/fork.c:3391 [inline]
__x64_sys_unshare+0x1f/0x30 kernel/fork.c:3391 → The syscall handler. ```
### **3. Key Observations** - **`rpc_proc_unregister`**: This function is responsible for removing an RPC program from the stats tracking. It likely accesses a global or per-namespace list of RPC procedures. - **`nfs_net_exit`**: This is called when a network namespace is being destroyed. It cleans up NFS-specific resources. - **Race Condition**: The crash suggests that `rpc_proc_unregister` was called on an RPC procedure that was: 1. Already freed. 2. In the process of being freed. 3. Not properly initialized.
This is a classic **UAF (Use-After-Free)** bug in the NFS/SunRPC stats tracking code during namespace teardown.
---
### **4. Likely Cause** The bug is in `net/sunrpc/stats.c` or `fs/nfs/inode.c`. Specifically: - When a network namespace is exiting (`nfs_net_exit`), it iterates over RPC procedures to unregister them. - However, some RPC procedures might have already been freed or are being freed concurrently, leading to a crash when `rpc_proc_unregister` tries to access them.
This could be due to: - Missing synchronization between RPC procedure registration/unregistration and namespace cleanup. - A race between `unshare()` (creating a new namespace) and existing namespace teardown.
---
### **5. Fix/Workaround** #### **For Developers:** 1. **Check `rpc_proc_unregister`**: Ensure it handles NULL pointers or already-freed structures gracefully. 2. **Synchronize Namespace Cleanup**: Ensure that `nfs_net_exit` waits for all RPC procedures to be fully unregistered before freeing them. 3. **Add Reference Counting**: Use `kref` or similar mechanisms to prevent UAF.
#### **For Users:** - **Update Kernel**: This is likely a known bug in older kernels. Update to the latest stable kernel. - **Avoid `unshare()` with NFS**: If possible, avoid using `unshare()` with network namespaces in environments using NFS. - **Disable NFS Stats**: If NFS stats tracking is not needed, consider disabling it to avoid the code path.
---
### **6. Relevant Code Locations** - `net/sunrpc/stats.c:310` (`rpc_proc_unregister`) - `fs/nfs/inode.c:2438` (`nfs_net_exit`)
### **7. Mitigation**
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.