Bottlerocket: bottlerocket-kernel-5.15, kernel-5.15: security update to 5.15.182

medium Tenable Cloud Security Plugin ID 428222

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- In the Linux kernel, the following vulnerability has been resolved: blk-iocost: do not WARN if iocg was
already offlined In iocg_pay_debt(), warn is triggered if 'active_list' is empty, which is intended to
confirm iocg is active when it has debt. However, warn can be triggered during a blkcg or disk removal, if
iocg_waitq_timer_fn() is run at that time: WARNING: CPU: 0 PID: 2344971 at block/blk-iocost.c:1402
iocg_pay_debt+0x14c/0x190 Call trace: iocg_pay_debt+0x14c/0x190 iocg_kick_waitq+0x438/0x4c0
iocg_waitq_timer_fn+0xd8/0x130 __run_hrtimer+0x144/0x45c __hrtimer_run_queues+0x16c/0x244
hrtimer_interrupt+0x2cc/0x7b0 The warn in this situation is meaningless. Since this iocg is being removed,
the state of the 'active_list' is irrelevant, and 'waitq_timer' is canceled after removing 'active_list'
in ioc_pd_free(), which ensures iocg is freed after iocg_waitq_timer_fn() returns. Therefore, add the
check if iocg was already offlined to avoid warn when removing a blkcg or disk. (CVE-2024-36908)

Plugin Details

Severity: Medium

ID: 428222

Version: Revision 1.4

Type: Local

Published: 6/30/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.16

CVSS v2

Risk Factor: Medium

Base Score: 4.6

Temporal Score: 3.4

Vector: CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C

CVSS Score Source: CVE-2024-36908

CVSS v3

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 5/30/2024

Reference Information

CVE: CVE-2024-36908