CVE-2024-36020

In the Linux kernel, the following vulnerability has been resolved: i40e: fix vf may be used uninitialized in this function warning To fix the regression introduced by commit 52424f974bc5, which causes servers hang in very hard to reproduce conditions with resets races. Using two sources for the information is the root cause. In this function before the fix bumping v didn't mean bumping vf pointer. But the code used this variables interchangeably, so stale vf could point to different/not intended vf. Remove redundant "v" variable and iterate via single VF pointer across whole function instead to guarantee VF pointer validity.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/06df7618f591b2dc43c59967e294d7b9fc8675b6	Patch
https://git.kernel.org/stable/c/0dcf573f997732702917af1563aa2493dc772fc0	Patch
https://git.kernel.org/stable/c/3e89846283f3cf7c7a8e28b342576fd7c561d2ba	Patch
https://git.kernel.org/stable/c/951d2748a2a8242853abc3d0c153ce4bf8faad31	Patch
https://git.kernel.org/stable/c/9dcf0fcb80f6aeb01469e3c957f8d4c97365450a	Patch
https://git.kernel.org/stable/c/b8e82128b44fa40bf99a50b919488ef361e1683c	Patch
https://git.kernel.org/stable/c/cc9cd02dd9e8b7764ea9effb24f4f1dd73d1b23d	Patch
https://git.kernel.org/stable/c/f37c4eac99c258111d414d31b740437e1925b8e8	Patch
https://git.kernel.org/stable/c/06df7618f591b2dc43c59967e294d7b9fc8675b6	Patch
https://git.kernel.org/stable/c/0dcf573f997732702917af1563aa2493dc772fc0	Patch
https://git.kernel.org/stable/c/3e89846283f3cf7c7a8e28b342576fd7c561d2ba	Patch
https://git.kernel.org/stable/c/951d2748a2a8242853abc3d0c153ce4bf8faad31	Patch
https://git.kernel.org/stable/c/9dcf0fcb80f6aeb01469e3c957f8d4c97365450a	Patch
https://git.kernel.org/stable/c/b8e82128b44fa40bf99a50b919488ef361e1683c	Patch
https://git.kernel.org/stable/c/cc9cd02dd9e8b7764ea9effb24f4f1dd73d1b23d	Patch
https://git.kernel.org/stable/c/f37c4eac99c258111d414d31b740437e1925b8e8	Patch
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.1:-::::::
	cpe:2.3:o:linux:linux_kernel:6.1:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.1:rc4::::::
	cpe:2.3:o:linux:linux_kernel:6.1:rc5::::::
	cpe:2.3:o:linux:linux_kernel:6.1:rc6::::::
	cpe:2.3:o:linux:linux_kernel:6.1:rc7::::::
	cpe:2.3:o:linux:linux_kernel:6.1:rc8::::::
	cpe:2.3:o:linux:linux_kernel:6.9:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.9:rc2::::::

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

History

23 Dec 2025, 19:16

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
CWE		CWE-908
References	~~() https://git.kernel.org/stable/c/06df7618f591b2dc43c59967e294d7b9fc8675b6 -~~	() https://git.kernel.org/stable/c/06df7618f591b2dc43c59967e294d7b9fc8675b6 - Patch
References	~~() https://git.kernel.org/stable/c/0dcf573f997732702917af1563aa2493dc772fc0 -~~	() https://git.kernel.org/stable/c/0dcf573f997732702917af1563aa2493dc772fc0 - Patch
References	~~() https://git.kernel.org/stable/c/3e89846283f3cf7c7a8e28b342576fd7c561d2ba -~~	() https://git.kernel.org/stable/c/3e89846283f3cf7c7a8e28b342576fd7c561d2ba - Patch
References	~~() https://git.kernel.org/stable/c/951d2748a2a8242853abc3d0c153ce4bf8faad31 -~~	() https://git.kernel.org/stable/c/951d2748a2a8242853abc3d0c153ce4bf8faad31 - Patch
References	~~() https://git.kernel.org/stable/c/9dcf0fcb80f6aeb01469e3c957f8d4c97365450a -~~	() https://git.kernel.org/stable/c/9dcf0fcb80f6aeb01469e3c957f8d4c97365450a - Patch
References	~~() https://git.kernel.org/stable/c/b8e82128b44fa40bf99a50b919488ef361e1683c -~~	() https://git.kernel.org/stable/c/b8e82128b44fa40bf99a50b919488ef361e1683c - Patch
References	~~() https://git.kernel.org/stable/c/cc9cd02dd9e8b7764ea9effb24f4f1dd73d1b23d -~~	() https://git.kernel.org/stable/c/cc9cd02dd9e8b7764ea9effb24f4f1dd73d1b23d - Patch
References	~~() https://git.kernel.org/stable/c/f37c4eac99c258111d414d31b740437e1925b8e8 -~~	() https://git.kernel.org/stable/c/f37c4eac99c258111d414d31b740437e1925b8e8 - Patch
References	~~() https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html -~~	() https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html - Third Party Advisory
References	~~() https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html -~~	() https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html - Third Party Advisory
First Time		Linux Debian Debian debian Linux Linux linux Kernel
CPE		cpe:2.3:o:linux:linux_kernel:6.1:rc8:::::: cpe:2.3:o:debian:debian_linux:10.0:::::::* cpe:2.3:o:linux:linux_kernel:6.1:rc5:::::: cpe:2.3:o:linux:linux_kernel:6.9:rc1:::::: cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:6.1:rc6:::::: cpe:2.3:o:linux:linux_kernel:6.1:rc7:::::: cpe:2.3:o:linux:linux_kernel:6.1:rc4:::::: cpe:2.3:o:linux:linux_kernel:6.9:rc2:::::: cpe:2.3:o:linux:linux_kernel:6.1:-:::::: cpe:2.3:o:linux:linux_kernel:6.1:rc3::::::

21 Nov 2024, 09:21

Type	Values Removed	Values Added
References		() https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html - () https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html -
References	~~() https://git.kernel.org/stable/c/06df7618f591b2dc43c59967e294d7b9fc8675b6 -~~	() https://git.kernel.org/stable/c/06df7618f591b2dc43c59967e294d7b9fc8675b6 -
References	~~() https://git.kernel.org/stable/c/0dcf573f997732702917af1563aa2493dc772fc0 -~~	() https://git.kernel.org/stable/c/0dcf573f997732702917af1563aa2493dc772fc0 -
References	~~() https://git.kernel.org/stable/c/3e89846283f3cf7c7a8e28b342576fd7c561d2ba -~~	() https://git.kernel.org/stable/c/3e89846283f3cf7c7a8e28b342576fd7c561d2ba -
References	~~() https://git.kernel.org/stable/c/951d2748a2a8242853abc3d0c153ce4bf8faad31 -~~	() https://git.kernel.org/stable/c/951d2748a2a8242853abc3d0c153ce4bf8faad31 -
References	~~() https://git.kernel.org/stable/c/9dcf0fcb80f6aeb01469e3c957f8d4c97365450a -~~	() https://git.kernel.org/stable/c/9dcf0fcb80f6aeb01469e3c957f8d4c97365450a -
References	~~() https://git.kernel.org/stable/c/b8e82128b44fa40bf99a50b919488ef361e1683c -~~	() https://git.kernel.org/stable/c/b8e82128b44fa40bf99a50b919488ef361e1683c -
References	~~() https://git.kernel.org/stable/c/cc9cd02dd9e8b7764ea9effb24f4f1dd73d1b23d -~~	() https://git.kernel.org/stable/c/cc9cd02dd9e8b7764ea9effb24f4f1dd73d1b23d -
References	~~() https://git.kernel.org/stable/c/f37c4eac99c258111d414d31b740437e1925b8e8 -~~	() https://git.kernel.org/stable/c/f37c4eac99c258111d414d31b740437e1925b8e8 -

05 Nov 2024, 10:17

Type	Values Removed	Values Added
References	~~{'url': 'https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html', 'source': '416baaa9-dc9f-4396-8d5f-8c081fb06d67'}~~ ~~{'url': 'https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html', 'source': '416baaa9-dc9f-4396-8d5f-8c081fb06d67'}~~

27 Jun 2024, 12:15

Type	Values Removed	Values Added
References		() https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html -

25 Jun 2024, 23:15

Type	Values Removed	Values Added
References		() https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html -
Summary		(es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: i40e: se puede usar vf sin inicializar en esta función advertencia Para corregir la regresión introducida por el commit 52424f974bc5, que hace que los servidores se cuelguen con mucha dificultad para reproducir condiciones con restablecimientos de ejecución. El uso de dos fuentes para la información es la causa fundamental. En esta función, antes de la corrección, tocar v no significaba tocar el puntero vf. Pero el código usaba estas variables indistintamente, por lo que un vf obsoleto podría apuntar a un vf diferente o no intencionado. Elimine la variable "v" redundante e itere mediante un único puntero VF en toda la función para garantizar la validez del puntero VF.

30 May 2024, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-05-30 15:15

Updated : 2025-12-23 19:16

NVD link : CVE-2024-36020

Mitre link : CVE-2024-36020

CVE.ORG link : CVE-2024-36020

JSON object : View

Products Affected

debian

debian_linux

linux

linux_kernel

CWE

CWE-908

Use of Uninitialized Resource

5.5 /10