CVE-2024-41006

MEDIUM EPSS 15.3%
Published Jul 12, 20241y ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Jul 12, 2024 1y ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: netrom: Fix a memory leak in nr_heartbeat_expiry() syzbot reported a memory leak in nr_create() [0]. Commit 409db27e3a2e ("netrom: Fix use-after-free of a listening socket.") added sock_hold() to the nr_heartbeat_expiry() function, where a) a socket has a SOCK_DESTROY flag or b) a listening socket has a SOCK_DEAD flag. But in the case "a," when the SOCK_DESTROY flag is set, the file descriptor has already been closed and the nr_release() function has been called. So it makes no sense to hold the reference count because no one will call another nr_destroy_socket() and put it as in the case "b." nr_connect nr_establish_data_link nr_start_heartbeat nr_release switch (nr->state) case NR_STATE_3 nr->state = NR_STATE_2 sock_set_flag(sk, SOCK_DESTROY); nr_rx_frame nr_process_rx_frame switch (nr->state) case NR_STATE_2 nr_state2_machine() nr_disconnect() nr_sk(sk)->state = NR_STATE_0 sock_set_flag(sk, SOCK_DEAD) nr_heartbeat_expiry switch (nr->state) case NR_STATE_0 if (sock_flag(sk, SOCK_DESTROY) || (sk->sk_state == TCP_LISTEN && sock_flag(sk, SOCK_DEAD))) sock_hold() // ( !!! ) nr_destroy_socket() To fix the memory leak, let's call sock_hold() only for a listening socket. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with Syzkaller. [0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
15.3% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-401

Affected Products 11

VendorProductVersionRange
linuxlinux_kernel*≥4.19.272  –  <4.19.317
linuxlinux_kernel*≥5.4.231  –  <5.4.279
linuxlinux_kernel*≥5.10.166  –  <5.10.221
linuxlinux_kernel*≥5.15.91  –  <5.15.162
linuxlinux_kernel*≥6.1.9  –  <6.1.96
linuxlinux_kernel*≥6.2  –  <6.6.36
linuxlinux_kernel*≥6.7  –  <6.9.7
linuxlinux_kernel6.10any
linuxlinux_kernel6.10any
linuxlinux_kernel6.10any
linuxlinux_kernel6.10any

References 12

  • cert-portal.siemens.com https://cert-portal.siemens.com/productcert/html/ssa-265688.html
  • cert-portal.siemens.com https://cert-portal.siemens.com/productcert/html/ssa-355557.html
  • cert-portal.siemens.com https://cert-portal.siemens.com/productcert/html/ssa-613116.html
  • git.kernel.org https://git.kernel.org/stable/c/0b9130247f3b6a1122478471ff0e014ea96bb735
    Mailing ListPatch
  • git.kernel.org https://git.kernel.org/stable/c/280cf1173726a7059b628c610c71050d5c0b6937
    Mailing ListPatch
  • git.kernel.org https://git.kernel.org/stable/c/5391f9db2cab5ef1cb411be1ab7dbec728078fba
    Mailing ListPatch
  • git.kernel.org https://git.kernel.org/stable/c/a02fd5d775cf9787ee7698c797e20f2fa13d2e2b
    Mailing ListPatch
  • git.kernel.org https://git.kernel.org/stable/c/b6ebe4fed73eedeb73f4540f8edc4871945474c8
    Mailing ListPatch
  • git.kernel.org https://git.kernel.org/stable/c/d377f5a28332954b19e373d36823e59830ab1712
    Mailing ListPatch
  • git.kernel.org https://git.kernel.org/stable/c/d616876256b38ecf9a1a1c7d674192c5346bc69c
    Mailing ListPatch
  • git.kernel.org https://git.kernel.org/stable/c/e07a9c2a850cdebf625e7a1b8171bd23a8554313
    Mailing ListPatch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/0b9130247f3b6a1122478471ff0e014ea96bb735
    Mailing ListPatch
  • git.kernel.org https://git.kernel.org/stable/c/280cf1173726a7059b628c610c71050d5c0b6937
    Mailing ListPatch
  • git.kernel.org https://git.kernel.org/stable/c/5391f9db2cab5ef1cb411be1ab7dbec728078fba
    Mailing ListPatch
  • git.kernel.org https://git.kernel.org/stable/c/a02fd5d775cf9787ee7698c797e20f2fa13d2e2b
    Mailing ListPatch
  • git.kernel.org https://git.kernel.org/stable/c/b6ebe4fed73eedeb73f4540f8edc4871945474c8
    Mailing ListPatch
  • git.kernel.org https://git.kernel.org/stable/c/d377f5a28332954b19e373d36823e59830ab1712
    Mailing ListPatch
  • git.kernel.org https://git.kernel.org/stable/c/d616876256b38ecf9a1a1c7d674192c5346bc69c
    Mailing ListPatch
  • git.kernel.org https://git.kernel.org/stable/c/e07a9c2a850cdebf625e7a1b8171bd23a8554313
    Mailing ListPatch