What is CVE-2024-36000?

CVE-2024-36000 is a Medium severity Linux kernel vulnerability with a CVSS score of 5.5 out of 10. CVE-2024-36000 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2024-36000?

CVE-2024-36000 has a CVSS score of 5.5 out of 10, rated Medium severity. The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.

Is there a patch available for CVE-2024-36000?

No patch is currently available for CVE-2024-36000. Monitor the NIST NVD and your Linux distribution's security advisories for updates.

Is CVE-2024-36000 actively exploited?

CVE-2024-36000 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2024-36000

Medium

In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix missing hugetlb_lock for resv uncharge There is a recent report on UFFDIO_COPY over hugetlb: https://lore.kernel.org/all/[email protected]/ 350: lockdep_assert_held(&hugetlb_lock); Should be an issue in hugetlb but triggered in an userfault context, where it goes into the unlikely path where two threads modifying the resv map together. Mike has a fix in that path for resv uncharge but it looks like the locking criteria was overlooked: hugetlb_cgroup_uncharge_folio_rsvd() will update the cgroup pointer, so it requires to be called with the lock held.

Package Linux Kernel

Published 2024-05-20

Last modified 2025-09-23

CVSS version 3.1

Patch available

Awaiting data

CVSS 3.1 score

5.5

out of 10

Medium

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

High

Vector string

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Weakness type

CWE-617

CVE-2024-36000 is classified as CWE-617

See CWE-617 on MITRE CWE for full details on this weakness type.

References

The following references provide additional information about CVE-2024-36000 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/4c806333efea1000a2a9620926f560ad2e1ca7cc
Patch
Kernel patch commit
https://git.kernel.org/stable/c/538faabf31e9c53d8c870d114846fda958a0de10
Patch
Kernel patch commit
https://git.kernel.org/stable/c/b76b46902c2d0395488c8412e1116c2486cdfcb2
Patch

4 patch commits total View all on NVD

Details

CVE ID CVE-2024-36000

Severity Medium

CVSS score 5.5 / 10

CVSS version 3.1

Published 2024-05-20

Modified 2025-09-23

KEV No

Patch Awaiting data

Package linux

Frequently asked questions

What is CVE-2024-36000?

CVE-2024-36000 is a Medium severity Linux kernel vulnerability with a CVSS score of 5.5 out of 10 . CVE-2024-36000 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
What is the CVSS score for CVE-2024-36000?

CVE-2024-36000 has a CVSS score of 5.5 out of 10, rated Medium severity (CVSS 3.1). The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.
Is there a patch available for CVE-2024-36000?

No patch is currently available for CVE-2024-36000. Monitor the NIST NVD and your Linux distribution's security advisories for updates.
Is CVE-2024-36000 actively exploited?

No — CVE-2024-36000 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.