VYPR
← All advisories
High severityNVD Advisory· Published Nov 29, 2024· Updated Dec 4, 2024

CVE-2024-36621

CVE-2024-36621

Description

moby v25.0.5 is affected by a Race Condition in builder/builder-next/adapters/snapshot/layer.go. The vulnerability could be used to trigger concurrent builds that call the EnsureLayer function resulting in resource leaks/exhaustion.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A race condition in Moby (Docker) v25.0.5's EnsureLayer function can lead to resource leaks/exhaustion during concurrent builds.

Vulnerability

Overview

CVE-2024-36621 is a race condition vulnerability identified in Moby (Docker) v25.0.5, specifically within the EnsureLayer function in builder/builder-next/adapters/snapshot/layer.go [1][3][4]. The issue arises when concurrent build processes simultaneously call this function, leading to unsynchronized access that can trigger resource leaks and eventual exhaustion of system resources [1][3].

Exploitation

To exploit this vulnerability, an attacker must have the ability to initiate multiple concurrent container builds on a system running the affected version of Moby. No special privileges beyond normal build access are required, as the race condition is triggered by standard build operations [1]. The attack vector is network-based, since builds can be initiated remotely via the Docker API or CLI, and the attack complexity is considered high due to the necessity of precise timing to win the race [1].

Impact

Successful exploitation can lead to resource leaks, such as file descriptors, memory, or storage, potentially causing resource exhaustion on the host system. This could degrade system performance or lead to denial of service (DoS) for legitimate container operations [1][3].

Mitigation

As of this advisory, users are strongly recommended to upgrade to a patched version of Moby that addresses the race condition. The Moby project is actively maintained, and fixes are typically incorporated in subsequent releases [2]. Check the official Moby repository and Docker release notes for updated versions that resolve CVE-2024-36621 [2][4].

References
  1. CVE-2024-36621 - GitHub Advisory Database
  2. GitHub - moby/moby: The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
  3. NVD - CVE-2024-36621
  4. moby/builder/builder-next/adapters/snapshot/layer.go at v25.0.5 · moby/moby

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/moby/mobyGo
< 26.0.026.0.0

Affected products

50

Patches

1
37545cc64434

builder-next: fix missing lock in ensurelayer

https://github.com/moby/mobyTonis TiigiMar 7, 2024via ghsa
commit
2 files changed · +14 8
  • builder/builder-next/adapters/snapshot/layer.go+3 0 modified
    @@ -22,6 +22,9 @@ func (s *snapshotter) GetDiffIDs(ctx context.Context, key string) ([]layer.DiffI
 }
 
 func (s *snapshotter) EnsureLayer(ctx context.Context, key string) ([]layer.DiffID, error) {
+	s.layerCreateLocker.Lock(key)
+	defer s.layerCreateLocker.Unlock(key)
+
 	diffIDs, err := s.GetDiffIDs(ctx, key)
 	if err != nil {
 		return nil, err
  • builder/builder-next/adapters/snapshot/snapshot.go+11 8 modified
    @@ -17,6 +17,7 @@ import (
 	"github.com/moby/buildkit/identity"
 	"github.com/moby/buildkit/snapshot"
 	"github.com/moby/buildkit/util/leaseutil"
+	"github.com/moby/locker"
 	"github.com/opencontainers/go-digest"
 	"github.com/pkg/errors"
 	bolt "go.etcd.io/bbolt"
@@ -51,10 +52,11 @@ type checksumCalculator interface {
 type snapshotter struct {
 	opt Opt
 
-	refs map[string]layer.Layer
-	db   *bolt.DB
-	mu   sync.Mutex
-	reg  graphIDRegistrar
+	refs              map[string]layer.Layer
+	db                *bolt.DB
+	mu                sync.Mutex
+	reg               graphIDRegistrar
+	layerCreateLocker *locker.Locker
 }
 
 // NewSnapshotter creates a new snapshotter
@@ -71,10 +73,11 @@ func NewSnapshotter(opt Opt, prevLM leases.Manager, ns string) (snapshot.Snapsho
 	}
 
 	s := &snapshotter{
-		opt:  opt,
-		db:   db,
-		refs: map[string]layer.Layer{},
-		reg:  reg,
+		opt:               opt,
+		db:                db,
+		refs:              map[string]layer.Layer{},
+		reg:               reg,
+		layerCreateLocker: locker.New(),
 	}
 
 	slm := newLeaseManager(s, prevLM)

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.