Bottlerocket: kernel-5.15: security update to 2.1.0

high Tenable Cloud Security Plugin ID 427932

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- In the Linux kernel, the following vulnerability has been resolved: blk-iocost: avoid out of bounds shift
UBSAN catches undefined behavior in blk-iocost, where sometimes iocg->delay is shifted right by a number
that is too large, resulting in undefined behavior on some architectures. [ 186.556576] ------------[ cut
here ]------------ UBSAN: shift-out-of-bounds in block/blk-iocost.c:1366:23 shift exponent 64 is too large
for 64-bit type 'u64' (aka 'unsigned long long') CPU: 16 PID: 0 Comm: swapper/16 Tainted: G S E N
6.9.0-0_fbk700_debug_rc2_kbuilder_0_gc85af715cac0 #1 Hardware name: Quanta Twin Lakes MP/Twin Lakes
Passive MP, BIOS F09_3A23 12/08/2020 Call Trace: <IRQ> dump_stack_lvl+0x8f/0xe0
__ubsan_handle_shift_out_of_bounds+0x22c/0x280 iocg_kick_delay+0x30b/0x310 ioc_timer_fn+0x2fb/0x1f80
__run_timer_base+0x1b6/0x250 ... Avoid that undefined behavior by simply taking the "delay = 0" branch if
the shift is too large. I am not sure what the symptoms of an undefined value delay will be, but I suspect
it could be more than a little annoying to debug. (CVE-2024-36916)

Plugin Details

Severity: High

ID: 427932

Version: Revision 1.4

Type: Local

Published: 6/30/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.38

CVSS v2

Risk Factor: Medium

Base Score: 6.2

Temporal Score: 4.6

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:N/A:C

CVSS Score Source: CVE-2024-36916

CVSS v3

Risk Factor: High

Base Score: 7.1

Temporal Score: 6.2

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 4/9/2024

Reference Information

CVE: CVE-2024-36916