CVE-2020-36789

CVSS 3.1 Score 5.5 of 10 (medium)

Details

Published Apr 17, 2025

Updated: Apr 29, 2025

CWE ID 476

Summary

CVE-2020-36789: A vulnerability in the Linux kernel affects the CAN (Controller Area Network) stack. During hardware IRQ context, when a driver calls the function can_get_echo_skb(), the potential exists for a NULL pointer dereference due to the call to kfree_skb() instead of dev_kfree_skb_irq(). This issue has been resolved by preventing the skb from being freed within netif_rx() by incrementing its reference count with skb_get(). The patch ensures that the skb is safely freed by dev_consume_skb_any() or dev_kfree_skb_any(). The root cause of this vulnerability stems from loopback skbs being received in hardware IRQ context in the core network stack, which is not the typical behavior. This issue was first reported in 2017 but the proposed patch was not accepted. To address this, a smoother modification is proposed within the CAN network stack, as it is assumed only CAN devices are affected.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Advisories, Assessments, and Mitigations

Back to Vulnerability Database

Platform Features

Products

Use Cases

Teams

Industries

Services

Threats to the 2025 NATO Summit

Artificial Eyes: Generative AI in China’s Military Intelligence

GrayAlpha Uses Diverse Infection Vectors to Deploy PowerNet Loader and NetSupport RAT

Know What Matters

For Customers

For Partners

CVE-2020-36789

CVSS 3.1 Score 5.5 of 10 (medium)

Details

Summary

Advisories, Assessments, and Mitigations