CVE-2024-36621
unknown
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
โ
Description
moby v25.0.5 is affected by a Race Condition in builder/builder-next/adapters/snapshot/layer.go. The vulnerability could be used to trigger concurrent builds that call the EnsureLayer function resulting in resource leaks/exhaustion.
Predictions
Exploit likelihood
30%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
Debian Mixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 26.1.4+dfsg1-9 |
| sid | Fixed | 26.1.4+dfsg1-9 |
| forky | Fixed | 26.1.4+dfsg1-9 |
| bullseye | Affected | โ |
| bookworm | Affected | โ |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Go | github.com/moby/moby | <26.0.0 | 26.0.0 |
| Go | github.com/moby/moby | <26.0.0+incompatible | 26.0.0+incompatible |
References
- https://security-tracker.debian.org/tracker/CVE-2024-36621
- https://nvd.nist.gov/vuln/detail/CVE-2024-36621
- https://github.com/moby/moby/commit/37545cc644344dcb576cba67eb7b6f51a463d31e
- https://gist.github.com/1047524396/5d44459edab5fafcdf86b43909b81135
- https://github.com/advisories/GHSA-2mj3-vfvx-fc43
- https://github.com/moby/moby
- https://github.com/moby/moby/blob/v25.0.5/builder/builder-next/adapters/snapshot/layer.go#L24
- https://www.suse.com/security/cve/CVE-2024-36621.html
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.