CRITICAL🇵🇱 Wersja polska

CVE-2024-36031

CVSS 9.8v3.1pub. 2024-05-30upd. 2025-11-04

In the Linux kernel, the following vulnerability has been resolved: keys: Fix overwrite of key expiration on instantiation The expiry time of a key is unconditionally overwritten during instantiation, defaulting to turn it permanent. This causes a problem for DNS resolution as the expiration set by user-space is overwritten to TIME64_MAX, disabling further DNS updates. Fix this by restoring the condition that key_set_expiry is only called when the pre-parser sets a specific expiry.

🤖 AI Analysis
How it works

During the key instantiation process in the Linux kernel, the key_set_expiry function was called unconditionally, resulting in the expiration time being set to TIME64_MAX — essentially infinity. The correct behavior should be to call this function only when the pre-parser explicitly indicates a specific expiration time. As a result, the expiration time set by user-space was being overwritten with a default value, making the key permanent contrary to system intentions.

Impact

An attacker or unauthorized party can exploit the fact that keys never expire to maintain outdated or malicious data (e.g., DNS records) indefinitely, bypassing key refresh and invalidation mechanisms. This can lead to violations of system confidentiality, integrity, and availability (CVSS score 9.8).

Mitigation & patch

Apply patches available from the manufacturer according to the references — fixes have been published in the stable Linux kernel repositories at the addresses indicated in the CVE references section.

Who is affected

Linux kernel — versions indicated in the manufacturer's references (patches available at the addresses in the references section).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Linux Kernel

    OS
    Linux
    5.10.206 – 5.10.217 (bez)5.15.146 – 5.15.159 (bez)6.1.70 – 6.1.91 (bez)6.6.9 – 6.6.31 (bez)6.7 – 6.8.10 (bez)6.9 – 6.9.1 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty

CVE-2025-34028CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP

CVE-2022-47986CRITICAL9.8⚠ KEVten sam produkt

IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on t...

CVE-2022-22954CRITICAL9.8⚠ KEVten sam produkt

VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-s...

CVE-2020-4006CRITICAL9.1⚠ KEVten sam produkt

VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a...