CVE-2024-41006 - Vulnerability Details

Vendors	Products
Linux	Linux Kernel

Link	Providers
https://git.kernel.org/stable/c/0b9130247f3b6a1122478471ff0e014ea96bb735
https://git.kernel.org/stable/c/280cf1173726a7059b628c610c71050d5c0b6937
https://git.kernel.org/stable/c/5391f9db2cab5ef1cb411be1ab7dbec728078fba
https://git.kernel.org/stable/c/a02fd5d775cf9787ee7698c797e20f2fa13d2e2b
https://git.kernel.org/stable/c/b6ebe4fed73eedeb73f4540f8edc4871945474c8
https://git.kernel.org/stable/c/d377f5a28332954b19e373d36823e59830ab1712
https://git.kernel.org/stable/c/d616876256b38ecf9a1a1c7d674192c5346bc69c
https://git.kernel.org/stable/c/e07a9c2a850cdebf625e7a1b8171bd23a8554313
https://lore.kernel.org/linux-cve-announce/2024071244-CVE-2024-41006-d24b@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2024-41006
https://www.cve.org/CVERecord?id=CVE-2024-41006

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Type	Values Removed	Values Added
First Time appeared		Linux Linux linux Kernel
Weaknesses		CWE-401
CPEs		cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:6.10:rc1:::::: cpe:2.3:o:linux:linux_kernel:6.10:rc2:::::: cpe:2.3:o:linux:linux_kernel:6.10:rc3:::::: cpe:2.3:o:linux:linux_kernel:6.10:rc4::::::
Vendors & Products		Linux Linux linux Kernel
Metrics	cvssV3_1 `{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Type	Values Removed	Values Added
Weaknesses		CWE-404
Metrics	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`	cvssV3_1 `{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Show plain JSON

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-41006", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-07-12T12:17:45.610Z", "datePublished": "2024-07-12T12:44:41.176Z", "dateUpdated": "2025-05-04T12:57:23.615Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T12:57:23.615Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: Fix a memory leak in nr_heartbeat_expiry()\n\nsyzbot reported a memory leak in nr_create() [0].\n\nCommit 409db27e3a2e (\"netrom: Fix use-after-free of a listening socket.\")\nadded sock_hold() to the nr_heartbeat_expiry() function, where\na) a socket has a SOCK_DESTROY flag or\nb) a listening socket has a SOCK_DEAD flag.\n\nBut in the case \"a,\" when the SOCK_DESTROY flag is set, the file descriptor\nhas already been closed and the nr_release() function has been called.\nSo it makes no sense to hold the reference count because no one will\ncall another nr_destroy_socket() and put it as in the case \"b.\"\n\nnr_connect\n  nr_establish_data_link\n    nr_start_heartbeat\n\nnr_release\n  switch (nr->state)\n  case NR_STATE_3\n    nr->state = NR_STATE_2\n    sock_set_flag(sk, SOCK_DESTROY);\n\n                        nr_rx_frame\n                          nr_process_rx_frame\n                            switch (nr->state)\n                            case NR_STATE_2\n                              nr_state2_machine()\n                                nr_disconnect()\n                                  nr_sk(sk)->state = NR_STATE_0\n                                  sock_set_flag(sk, SOCK_DEAD)\n\n                        nr_heartbeat_expiry\n                          switch (nr->state)\n                          case NR_STATE_0\n                            if (sock_flag(sk, SOCK_DESTROY) ||\n                               (sk->sk_state == TCP_LISTEN\n                                 && sock_flag(sk, SOCK_DEAD)))\n                               sock_hold()  // ( !!! )\n                               nr_destroy_socket()\n\nTo fix the memory leak, let's call sock_hold() only for a listening socket.\n\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with Syzkaller.\n\n[0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netrom/nr_timer.c"], "versions": [{"version": "a31caf5779ace8fa98b0d454133808e082ee7a1b", "lessThan": "d616876256b38ecf9a1a1c7d674192c5346bc69c", "status": "affected", "versionType": "git"}, {"version": "fe9b9e621cebe6b7e83f7e954c70f8bb430520e5", "lessThan": "e07a9c2a850cdebf625e7a1b8171bd23a8554313", "status": "affected", "versionType": "git"}, {"version": "7de16d75b20ab13b75a7291f449a1b00090edfea", "lessThan": "5391f9db2cab5ef1cb411be1ab7dbec728078fba", "status": "affected", "versionType": "git"}, {"version": "d2d3ab1b1de3302de2c85769121fd4f890e47ceb", "lessThan": "280cf1173726a7059b628c610c71050d5c0b6937", "status": "affected", "versionType": "git"}, {"version": "51e394c6f81adbfe7c34d15f58b3d4d44f144acf", "lessThan": "a02fd5d775cf9787ee7698c797e20f2fa13d2e2b", "status": "affected", "versionType": "git"}, {"version": "409db27e3a2eb5e8ef7226ca33be33361b3ed1c9", "lessThan": "b6ebe4fed73eedeb73f4540f8edc4871945474c8", "status": "affected", "versionType": "git"}, {"version": "409db27e3a2eb5e8ef7226ca33be33361b3ed1c9", "lessThan": "d377f5a28332954b19e373d36823e59830ab1712", "status": "affected", "versionType": "git"}, {"version": "409db27e3a2eb5e8ef7226ca33be33361b3ed1c9", "lessThan": "0b9130247f3b6a1122478471ff0e014ea96bb735", "status": "affected", "versionType": "git"}, {"version": "e666990abb2e42dd4ba979b4706280a3664cfae7", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/netrom/nr_timer.c"], "versions": [{"version": "6.2", "status": "affected"}, {"version": "0", "lessThan": "6.2", "status": "unaffected", "versionType": "semver"}, {"version": "4.19.317", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.279", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.221", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.162", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.96", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.36", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.9.7", "lessThanOrEqual": "6.9.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.10", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19.272", "versionEndExcluding": "4.19.317"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4.231", "versionEndExcluding": "5.4.279"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10.166", "versionEndExcluding": "5.10.221"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.91", "versionEndExcluding": "5.15.162"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.9", "versionEndExcluding": "6.1.96"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.36"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.9.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.14.305"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/d616876256b38ecf9a1a1c7d674192c5346bc69c"}, {"url": "https://git.kernel.org/stable/c/e07a9c2a850cdebf625e7a1b8171bd23a8554313"}, {"url": "https://git.kernel.org/stable/c/5391f9db2cab5ef1cb411be1ab7dbec728078fba"}, {"url": "https://git.kernel.org/stable/c/280cf1173726a7059b628c610c71050d5c0b6937"}, {"url": "https://git.kernel.org/stable/c/a02fd5d775cf9787ee7698c797e20f2fa13d2e2b"}, {"url": "https://git.kernel.org/stable/c/b6ebe4fed73eedeb73f4540f8edc4871945474c8"}, {"url": "https://git.kernel.org/stable/c/d377f5a28332954b19e373d36823e59830ab1712"}, {"url": "https://git.kernel.org/stable/c/0b9130247f3b6a1122478471ff0e014ea96bb735"}], "title": "netrom: Fix a memory leak in nr_heartbeat_expiry()", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:39:56.157Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/d616876256b38ecf9a1a1c7d674192c5346bc69c", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/e07a9c2a850cdebf625e7a1b8171bd23a8554313", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/5391f9db2cab5ef1cb411be1ab7dbec728078fba", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/280cf1173726a7059b628c610c71050d5c0b6937", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a02fd5d775cf9787ee7698c797e20f2fa13d2e2b", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/b6ebe4fed73eedeb73f4540f8edc4871945474c8", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/d377f5a28332954b19e373d36823e59830ab1712", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/0b9130247f3b6a1122478471ff0e014ea96bb735", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-41006", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T17:00:58.734577Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:34:18.546Z"}}]}}

{

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

cveMetadata : { »

cveId : CVE-2024-41006 (string)

assignerOrgId : 416baaa9-dc9f-4396-8d5f-8c081fb06d67 (string)

state : PUBLISHED (string)

assignerShortName : Linux (string)

dateReserved : 2024-07-12T12:17:45.610Z (string)

datePublished : 2024-07-12T12:44:41.176Z (string)

dateUpdated : 2025-05-04T12:57:23.615Z (string)

}

containers : { »

cna : { »

providerMetadata : { »

orgId : 416baaa9-dc9f-4396-8d5f-8c081fb06d67 (string)

shortName : Linux (string)

dateUpdated : 2025-05-04T12:57:23.615Z (string)

}

descriptions : [ »

0 : { »

lang : en (string)

value : In the Linux kernel, the following vulnerability has been resolved: netrom: Fix a memory leak in nr_heartbeat_expiry() syzbot reported a memory leak in nr_create() [0]. Commit 409db27e3a2e ("netrom: Fix use-after-free of a listening socket.") added sock_hold() to the nr_heartbeat_expiry() function, where a) a socket has a SOCK_DESTROY flag or b) a listening socket has a SOCK_DEAD flag. But in the case "a," when the SOCK_DESTROY flag is set, the file descriptor has already been closed and the nr_release() function has been called. So it makes no sense to hold the reference count because no one will call another nr_destroy_socket() and put it as in the case "b." nr_connect nr_establish_data_link nr_start_heartbeat nr_release switch (nr->state) case NR_STATE_3 nr->state = NR_STATE_2 sock_set_flag(sk, SOCK_DESTROY); nr_rx_frame nr_process_rx_frame switch (nr->state) case NR_STATE_2 nr_state2_machine() nr_disconnect() nr_sk(sk)->state = NR_STATE_0 sock_set_flag(sk, SOCK_DEAD) nr_heartbeat_expiry switch (nr->state) case NR_STATE_0 if (sock_flag(sk, SOCK_DESTROY) || (sk->sk_state == TCP_LISTEN && sock_flag(sk, SOCK_DEAD))) sock_hold() // ( !!! ) nr_destroy_socket() To fix the memory leak, let's call sock_hold() only for a listening socket. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with Syzkaller. [0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16 (string)

}

]

affected : [ »

0 : { »

product : Linux (string)

vendor : Linux (string)

defaultStatus : unaffected (string)

repo : https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git (string)

programFiles : [ »

0 : net/netrom/nr_timer.c (string)

]

versions : [ »

0 : { »

version : a31caf5779ace8fa98b0d454133808e082ee7a1b (string)

lessThan : d616876256b38ecf9a1a1c7d674192c5346bc69c (string)

status : affected (string)

versionType : git (string)

}

1 : { »

version : fe9b9e621cebe6b7e83f7e954c70f8bb430520e5 (string)

lessThan : e07a9c2a850cdebf625e7a1b8171bd23a8554313 (string)

status : affected (string)

versionType : git (string)

}

2 : { »

version : 7de16d75b20ab13b75a7291f449a1b00090edfea (string)

lessThan : 5391f9db2cab5ef1cb411be1ab7dbec728078fba (string)

status : affected (string)

versionType : git (string)

}

3 : { »

version : d2d3ab1b1de3302de2c85769121fd4f890e47ceb (string)

lessThan : 280cf1173726a7059b628c610c71050d5c0b6937 (string)

status : affected (string)

versionType : git (string)

}

4 : { »

version : 51e394c6f81adbfe7c34d15f58b3d4d44f144acf (string)

lessThan : a02fd5d775cf9787ee7698c797e20f2fa13d2e2b (string)

status : affected (string)

versionType : git (string)

}

5 : { »

version : 409db27e3a2eb5e8ef7226ca33be33361b3ed1c9 (string)

lessThan : b6ebe4fed73eedeb73f4540f8edc4871945474c8 (string)

status : affected (string)

versionType : git (string)

}

6 : { »

version : 409db27e3a2eb5e8ef7226ca33be33361b3ed1c9 (string)

lessThan : d377f5a28332954b19e373d36823e59830ab1712 (string)

status : affected (string)

versionType : git (string)

}

7 : { »

version : 409db27e3a2eb5e8ef7226ca33be33361b3ed1c9 (string)

lessThan : 0b9130247f3b6a1122478471ff0e014ea96bb735 (string)

status : affected (string)

versionType : git (string)

}

8 : { »

version : e666990abb2e42dd4ba979b4706280a3664cfae7 (string)

status : affected (string)

versionType : git (string)

}

]

}

1 : { »

product : Linux (string)

vendor : Linux (string)

defaultStatus : affected (string)

repo : https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git (string)

programFiles : [ »

0 : net/netrom/nr_timer.c (string)

]

versions : [ »

0 : { »

version : 6.2 (string)

status : affected (string)

}

1 : { »

version : 0 (string)

lessThan : 6.2 (string)

status : unaffected (string)

versionType : semver (string)

}

2 : { »

version : 4.19.317 (string)

lessThanOrEqual : 4.19.* (string)

status : unaffected (string)

versionType : semver (string)

}

3 : { »

version : 5.4.279 (string)

lessThanOrEqual : 5.4.* (string)

status : unaffected (string)

versionType : semver (string)

}

4 : { »

version : 5.10.221 (string)

lessThanOrEqual : 5.10.* (string)

status : unaffected (string)

versionType : semver (string)

}

5 : { »

version : 5.15.162 (string)

lessThanOrEqual : 5.15.* (string)

status : unaffected (string)

versionType : semver (string)

}

6 : { »

version : 6.1.96 (string)

lessThanOrEqual : 6.1.* (string)

status : unaffected (string)

versionType : semver (string)

}

7 : { »

version : 6.6.36 (string)

lessThanOrEqual : 6.6.* (string)

status : unaffected (string)

versionType : semver (string)

}

8 : { »

version : 6.9.7 (string)

lessThanOrEqual : 6.9.* (string)

status : unaffected (string)

versionType : semver (string)

}

9 : { »

version : 6.10 (string)

lessThanOrEqual : * (string)

status : unaffected (string)

versionType : original_commit_for_fix (string)

}

]

}

]

cpeApplicability : [ »

0 : { »

nodes : [ »

0 : { »

operator : OR (string)

negate : false (boolean)

cpeMatch : [ »

0 : { »

vulnerable : true (boolean)

criteria : cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* (string)

versionStartIncluding : 4.19.272 (string)

versionEndExcluding : 4.19.317 (string)

}

1 : { »

vulnerable : true (boolean)

criteria : cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* (string)

versionStartIncluding : 5.4.231 (string)

versionEndExcluding : 5.4.279 (string)

}

2 : { »

vulnerable : true (boolean)

criteria : cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* (string)

versionStartIncluding : 5.10.166 (string)

versionEndExcluding : 5.10.221 (string)

}

3 : { »

vulnerable : true (boolean)

criteria : cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* (string)

versionStartIncluding : 5.15.91 (string)

versionEndExcluding : 5.15.162 (string)

}

4 : { »

vulnerable : true (boolean)

criteria : cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* (string)

versionStartIncluding : 6.1.9 (string)

versionEndExcluding : 6.1.96 (string)

}

5 : { »

vulnerable : true (boolean)

criteria : cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* (string)

versionStartIncluding : 6.2 (string)

versionEndExcluding : 6.6.36 (string)

}

6 : { »

vulnerable : true (boolean)

criteria : cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* (string)

versionStartIncluding : 6.2 (string)

versionEndExcluding : 6.9.7 (string)

}

7 : { »

vulnerable : true (boolean)

criteria : cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* (string)

versionStartIncluding : 6.2 (string)

versionEndExcluding : 6.10 (string)

}

8 : { »

vulnerable : true (boolean)

criteria : cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* (string)

versionStartIncluding : 4.14.305 (string)

}

]

}

]

}

]

references : [ »

0 : { »

url : https://git.kernel.org/stable/c/d616876256b38ecf9a1a1c7d674192c5346bc69c (string)

}

1 : { »

url : https://git.kernel.org/stable/c/e07a9c2a850cdebf625e7a1b8171bd23a8554313 (string)

}

2 : { »

url : https://git.kernel.org/stable/c/5391f9db2cab5ef1cb411be1ab7dbec728078fba (string)

}

3 : { »

url : https://git.kernel.org/stable/c/280cf1173726a7059b628c610c71050d5c0b6937 (string)

}

4 : { »

url : https://git.kernel.org/stable/c/a02fd5d775cf9787ee7698c797e20f2fa13d2e2b (string)

}

5 : { »

url : https://git.kernel.org/stable/c/b6ebe4fed73eedeb73f4540f8edc4871945474c8 (string)

}

6 : { »

url : https://git.kernel.org/stable/c/d377f5a28332954b19e373d36823e59830ab1712 (string)

}

7 : { »

url : https://git.kernel.org/stable/c/0b9130247f3b6a1122478471ff0e014ea96bb735 (string)

}

]

title : netrom: Fix a memory leak in nr_heartbeat_expiry() (string)

x_generator : { »

engine : bippy-1.2.0 (string)

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-02T04:39:56.157Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

url : https://git.kernel.org/stable/c/d616876256b38ecf9a1a1c7d674192c5346bc69c (string)

tags : [ »

0 : x_transferred (string)

]

}

1 : { »

url : https://git.kernel.org/stable/c/e07a9c2a850cdebf625e7a1b8171bd23a8554313 (string)

tags : [ »

0 : x_transferred (string)

]

}

2 : { »

url : https://git.kernel.org/stable/c/5391f9db2cab5ef1cb411be1ab7dbec728078fba (string)

tags : [ »

0 : x_transferred (string)

]

}

3 : { »

url : https://git.kernel.org/stable/c/280cf1173726a7059b628c610c71050d5c0b6937 (string)

tags : [ »

0 : x_transferred (string)

]

}

4 : { »

url : https://git.kernel.org/stable/c/a02fd5d775cf9787ee7698c797e20f2fa13d2e2b (string)

tags : [ »

0 : x_transferred (string)

]

}

5 : { »

url : https://git.kernel.org/stable/c/b6ebe4fed73eedeb73f4540f8edc4871945474c8 (string)

tags : [ »

0 : x_transferred (string)

]

}

6 : { »

url : https://git.kernel.org/stable/c/d377f5a28332954b19e373d36823e59830ab1712 (string)

tags : [ »

0 : x_transferred (string)

]

}

7 : { »

url : https://git.kernel.org/stable/c/0b9130247f3b6a1122478471ff0e014ea96bb735 (string)

tags : [ »

0 : x_transferred (string)

]

}

]

}

1 : { »

metrics : [ »

0 : { »

other : { »

type : ssvc (string)

content : { »

id : CVE-2024-41006 (string)

role : CISA Coordinator (string)

options : [ »

0 : { »

Exploitation : none (string)

}

1 : { »

Automatable : no (string)

}

2 : { »

Technical Impact : partial (string)

}

]

version : 2.0.3 (string)

timestamp : 2024-09-10T17:00:58.734577Z (string)

}

]

title : CISA ADP Vulnrichment (string)

providerMetadata : { »

orgId : 134c704f-9b21-4f2e-91b3-4a467353bcc0 (string)

shortName : CISA-ADP (string)

dateUpdated : 2024-09-11T17:34:18.546Z (string)

}

]

}

Show plain JSON

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/d616876256b38ecf9a1a1c7d674192c5346bc69c", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/e07a9c2a850cdebf625e7a1b8171bd23a8554313", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/5391f9db2cab5ef1cb411be1ab7dbec728078fba", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/280cf1173726a7059b628c610c71050d5c0b6937", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a02fd5d775cf9787ee7698c797e20f2fa13d2e2b", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/b6ebe4fed73eedeb73f4540f8edc4871945474c8", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/d377f5a28332954b19e373d36823e59830ab1712", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/0b9130247f3b6a1122478471ff0e014ea96bb735", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:39:56.157Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-41006", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T17:00:58.734577Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:21.915Z"}}], "cna": {"title": "netrom: Fix a memory leak in nr_heartbeat_expiry()", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "a31caf5779ac", "lessThan": "d616876256b3", "versionType": "git"}, {"status": "affected", "version": "fe9b9e621ceb", "lessThan": "e07a9c2a850c", "versionType": "git"}, {"status": "affected", "version": "7de16d75b20a", "lessThan": "5391f9db2cab", "versionType": "git"}, {"status": "affected", "version": "d2d3ab1b1de3", "lessThan": "280cf1173726", "versionType": "git"}, {"status": "affected", "version": "51e394c6f81a", "lessThan": "a02fd5d775cf", "versionType": "git"}, {"status": "affected", "version": "409db27e3a2e", "lessThan": "b6ebe4fed73e", "versionType": "git"}, {"status": "affected", "version": "409db27e3a2e", "lessThan": "d377f5a28332", "versionType": "git"}, {"status": "affected", "version": "409db27e3a2e", "lessThan": "0b9130247f3b", "versionType": "git"}], "programFiles": ["net/netrom/nr_timer.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6.2"}, {"status": "unaffected", "version": "0", "lessThan": "6.2", "versionType": "semver"}, {"status": "unaffected", "version": "4.19.317", "versionType": "semver", "lessThanOrEqual": "4.19.*"}, {"status": "unaffected", "version": "5.4.279", "versionType": "semver", "lessThanOrEqual": "5.4.*"}, {"status": "unaffected", "version": "5.10.221", "versionType": "semver", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.15.162", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.96", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.36", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.9.7", "versionType": "semver", "lessThanOrEqual": "6.9.*"}, {"status": "unaffected", "version": "6.10", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["net/netrom/nr_timer.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/d616876256b38ecf9a1a1c7d674192c5346bc69c"}, {"url": "https://git.kernel.org/stable/c/e07a9c2a850cdebf625e7a1b8171bd23a8554313"}, {"url": "https://git.kernel.org/stable/c/5391f9db2cab5ef1cb411be1ab7dbec728078fba"}, {"url": "https://git.kernel.org/stable/c/280cf1173726a7059b628c610c71050d5c0b6937"}, {"url": "https://git.kernel.org/stable/c/a02fd5d775cf9787ee7698c797e20f2fa13d2e2b"}, {"url": "https://git.kernel.org/stable/c/b6ebe4fed73eedeb73f4540f8edc4871945474c8"}, {"url": "https://git.kernel.org/stable/c/d377f5a28332954b19e373d36823e59830ab1712"}, {"url": "https://git.kernel.org/stable/c/0b9130247f3b6a1122478471ff0e014ea96bb735"}], "x_generator": {"engine": "bippy-9e1c9544281a"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: Fix a memory leak in nr_heartbeat_expiry()\n\nsyzbot reported a memory leak in nr_create() [0].\n\nCommit 409db27e3a2e (\"netrom: Fix use-after-free of a listening socket.\")\nadded sock_hold() to the nr_heartbeat_expiry() function, where\na) a socket has a SOCK_DESTROY flag or\nb) a listening socket has a SOCK_DEAD flag.\n\nBut in the case \"a,\" when the SOCK_DESTROY flag is set, the file descriptor\nhas already been closed and the nr_release() function has been called.\nSo it makes no sense to hold the reference count because no one will\ncall another nr_destroy_socket() and put it as in the case \"b.\"\n\nnr_connect\n  nr_establish_data_link\n    nr_start_heartbeat\n\nnr_release\n  switch (nr->state)\n  case NR_STATE_3\n    nr->state = NR_STATE_2\n    sock_set_flag(sk, SOCK_DESTROY);\n\n                        nr_rx_frame\n                          nr_process_rx_frame\n                            switch (nr->state)\n                            case NR_STATE_2\n                              nr_state2_machine()\n                                nr_disconnect()\n                                  nr_sk(sk)->state = NR_STATE_0\n                                  sock_set_flag(sk, SOCK_DEAD)\n\n                        nr_heartbeat_expiry\n                          switch (nr->state)\n                          case NR_STATE_0\n                            if (sock_flag(sk, SOCK_DESTROY) ||\n                               (sk->sk_state == TCP_LISTEN\n                                 && sock_flag(sk, SOCK_DEAD)))\n                               sock_hold()  // ( !!! )\n                               nr_destroy_socket()\n\nTo fix the memory leak, let's call sock_hold() only for a listening socket.\n\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with Syzkaller.\n\n[0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16"}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-05T09:34:54.773Z"}}}, "cveMetadata": {"cveId": "CVE-2024-41006", "state": "PUBLISHED", "dateUpdated": "2024-11-05T09:34:54.773Z", "dateReserved": "2024-07-12T12:17:45.610Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-07-12T12:44:41.176Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{

dataType : CVE_RECORD (string)

containers : { »

adp : [ »

0 : { »

title : CVE Program Container (string)

references : [ »

0 : { »

url : https://git.kernel.org/stable/c/d616876256b38ecf9a1a1c7d674192c5346bc69c (string)

tags : [ »

0 : x_transferred (string)

]

}

1 : { »

url : https://git.kernel.org/stable/c/e07a9c2a850cdebf625e7a1b8171bd23a8554313 (string)

tags : [ »

0 : x_transferred (string)

]

}

2 : { »

url : https://git.kernel.org/stable/c/5391f9db2cab5ef1cb411be1ab7dbec728078fba (string)

tags : [ »

0 : x_transferred (string)

]

}

3 : { »

url : https://git.kernel.org/stable/c/280cf1173726a7059b628c610c71050d5c0b6937 (string)

tags : [ »

0 : x_transferred (string)

]

}

4 : { »

url : https://git.kernel.org/stable/c/a02fd5d775cf9787ee7698c797e20f2fa13d2e2b (string)

tags : [ »

0 : x_transferred (string)

]

}

5 : { »

url : https://git.kernel.org/stable/c/b6ebe4fed73eedeb73f4540f8edc4871945474c8 (string)

tags : [ »

0 : x_transferred (string)

]

}

6 : { »

url : https://git.kernel.org/stable/c/d377f5a28332954b19e373d36823e59830ab1712 (string)

tags : [ »

0 : x_transferred (string)

]

}

7 : { »

url : https://git.kernel.org/stable/c/0b9130247f3b6a1122478471ff0e014ea96bb735 (string)

tags : [ »

0 : x_transferred (string)

]

}

]

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-02T04:39:56.157Z (string)

}

1 : { »

title : CISA ADP Vulnrichment (string)

metrics : [ »

0 : { »

other : { »

type : ssvc (string)

content : { »

id : CVE-2024-41006 (string)

role : CISA Coordinator (string)

options : [ »

0 : { »

Exploitation : none (string)

}

1 : { »

Automatable : no (string)

}

2 : { »

Technical Impact : partial (string)

}

]

version : 2.0.3 (string)

timestamp : 2024-09-10T17:00:58.734577Z (string)

}

]

providerMetadata : { »

orgId : 134c704f-9b21-4f2e-91b3-4a467353bcc0 (string)

shortName : CISA-ADP (string)

dateUpdated : 2024-09-11T12:42:21.915Z (string)

}

]

cna : { »

title : netrom: Fix a memory leak in nr_heartbeat_expiry() (string)

affected : [ »

0 : { »

repo : https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git (string)

vendor : Linux (string)

product : Linux (string)

versions : [ »

0 : { »

status : affected (string)

version : a31caf5779ac (string)

lessThan : d616876256b3 (string)

versionType : git (string)

}

1 : { »

status : affected (string)

version : fe9b9e621ceb (string)

lessThan : e07a9c2a850c (string)

versionType : git (string)

}

2 : { »

status : affected (string)

version : 7de16d75b20a (string)

lessThan : 5391f9db2cab (string)

versionType : git (string)

}

3 : { »

status : affected (string)

version : d2d3ab1b1de3 (string)

lessThan : 280cf1173726 (string)

versionType : git (string)

}

4 : { »

status : affected (string)

version : 51e394c6f81a (string)

lessThan : a02fd5d775cf (string)

versionType : git (string)

}

5 : { »

status : affected (string)

version : 409db27e3a2e (string)

lessThan : b6ebe4fed73e (string)

versionType : git (string)

}

6 : { »

status : affected (string)

version : 409db27e3a2e (string)

lessThan : d377f5a28332 (string)

versionType : git (string)

}

7 : { »

status : affected (string)

version : 409db27e3a2e (string)

lessThan : 0b9130247f3b (string)

versionType : git (string)

}

]

programFiles : [ »

0 : net/netrom/nr_timer.c (string)

]

defaultStatus : unaffected (string)

}

1 : { »

repo : https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git (string)

vendor : Linux (string)

product : Linux (string)

versions : [ »

0 : { »

status : affected (string)

version : 6.2 (string)

}

1 : { »

status : unaffected (string)

version : 0 (string)

lessThan : 6.2 (string)

versionType : semver (string)

}

2 : { »

status : unaffected (string)

version : 4.19.317 (string)

versionType : semver (string)

lessThanOrEqual : 4.19.* (string)

}

3 : { »

status : unaffected (string)

version : 5.4.279 (string)

versionType : semver (string)

lessThanOrEqual : 5.4.* (string)

}

4 : { »

status : unaffected (string)

version : 5.10.221 (string)

versionType : semver (string)

lessThanOrEqual : 5.10.* (string)

}

5 : { »

status : unaffected (string)

version : 5.15.162 (string)

versionType : semver (string)

lessThanOrEqual : 5.15.* (string)

}

6 : { »

status : unaffected (string)

version : 6.1.96 (string)

versionType : semver (string)

lessThanOrEqual : 6.1.* (string)

}

7 : { »

status : unaffected (string)

version : 6.6.36 (string)

versionType : semver (string)

lessThanOrEqual : 6.6.* (string)

}

8 : { »

status : unaffected (string)

version : 6.9.7 (string)

versionType : semver (string)

lessThanOrEqual : 6.9.* (string)

}

9 : { »

status : unaffected (string)

version : 6.10 (string)

versionType : original_commit_for_fix (string)

lessThanOrEqual : * (string)

}

]

programFiles : [ »

0 : net/netrom/nr_timer.c (string)

]

defaultStatus : affected (string)

}

]

references : [ »

0 : { »

url : https://git.kernel.org/stable/c/d616876256b38ecf9a1a1c7d674192c5346bc69c (string)

}

1 : { »

url : https://git.kernel.org/stable/c/e07a9c2a850cdebf625e7a1b8171bd23a8554313 (string)

}

2 : { »

url : https://git.kernel.org/stable/c/5391f9db2cab5ef1cb411be1ab7dbec728078fba (string)

}

3 : { »

url : https://git.kernel.org/stable/c/280cf1173726a7059b628c610c71050d5c0b6937 (string)

}

4 : { »

url : https://git.kernel.org/stable/c/a02fd5d775cf9787ee7698c797e20f2fa13d2e2b (string)

}

5 : { »

url : https://git.kernel.org/stable/c/b6ebe4fed73eedeb73f4540f8edc4871945474c8 (string)

}

6 : { »

url : https://git.kernel.org/stable/c/d377f5a28332954b19e373d36823e59830ab1712 (string)

}

7 : { »

url : https://git.kernel.org/stable/c/0b9130247f3b6a1122478471ff0e014ea96bb735 (string)

}

]

x_generator : { »

engine : bippy-9e1c9544281a (string)

}

descriptions : [ »

0 : { »

lang : en (string)

value : In the Linux kernel, the following vulnerability has been resolved: netrom: Fix a memory leak in nr_heartbeat_expiry() syzbot reported a memory leak in nr_create() [0]. Commit 409db27e3a2e ("netrom: Fix use-after-free of a listening socket.") added sock_hold() to the nr_heartbeat_expiry() function, where a) a socket has a SOCK_DESTROY flag or b) a listening socket has a SOCK_DEAD flag. But in the case "a," when the SOCK_DESTROY flag is set, the file descriptor has already been closed and the nr_release() function has been called. So it makes no sense to hold the reference count because no one will call another nr_destroy_socket() and put it as in the case "b." nr_connect nr_establish_data_link nr_start_heartbeat nr_release switch (nr->state) case NR_STATE_3 nr->state = NR_STATE_2 sock_set_flag(sk, SOCK_DESTROY); nr_rx_frame nr_process_rx_frame switch (nr->state) case NR_STATE_2 nr_state2_machine() nr_disconnect() nr_sk(sk)->state = NR_STATE_0 sock_set_flag(sk, SOCK_DEAD) nr_heartbeat_expiry switch (nr->state) case NR_STATE_0 if (sock_flag(sk, SOCK_DESTROY) || (sk->sk_state == TCP_LISTEN && sock_flag(sk, SOCK_DEAD))) sock_hold() // ( !!! ) nr_destroy_socket() To fix the memory leak, let's call sock_hold() only for a listening socket. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with Syzkaller. [0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16 (string)

}

]

providerMetadata : { »

orgId : 416baaa9-dc9f-4396-8d5f-8c081fb06d67 (string)

shortName : Linux (string)

dateUpdated : 2024-11-05T09:34:54.773Z (string)

}

cveMetadata : { »

cveId : CVE-2024-41006 (string)

state : PUBLISHED (string)

dateUpdated : 2024-11-05T09:34:54.773Z (string)

dateReserved : 2024-07-12T12:17:45.610Z (string)

assignerOrgId : 416baaa9-dc9f-4396-8d5f-8c081fb06d67 (string)

datePublished : 2024-07-12T12:44:41.176Z (string)

assignerShortName : Linux (string)

}

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "0799BB5F-A0F0-4290-872D-24364C18F638", "versionEndExcluding": "4.19.317", "versionStartIncluding": "4.19.272", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4821FCF8-B57B-4F3C-B3FC-5CFAEA2C6BC5", "versionEndExcluding": "5.4.279", "versionStartIncluding": "5.4.231", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E81DAF77-0E91-457C-AC9D-117B2D0BF7CB", "versionEndExcluding": "5.10.221", "versionStartIncluding": "5.10.166", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "2E0E5DA0-5043-4127-8316-B0E03B88EE6E", "versionEndExcluding": "5.15.162", "versionStartIncluding": "5.15.91", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "012144F5-2368-4D39-ABE2-07E7568304BB", "versionEndExcluding": "6.1.96", "versionStartIncluding": "6.1.9", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E1046C95-860A-45B0-B718-2B29F65BFF10", "versionEndExcluding": "6.6.36", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "0A047AF2-94AC-4A3A-B32D-6AB930D8EF1C", "versionEndExcluding": "6.9.7", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc1:*:*:*:*:*:*", "matchCriteriaId": "2EBB4392-5FA6-4DA9-9772-8F9C750109FA", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc2:*:*:*:*:*:*", "matchCriteriaId": "331C2F14-12C7-45D5-893D-8C52EE38EA10", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc3:*:*:*:*:*:*", "matchCriteriaId": "3173713D-909A-4DD3-9DD4-1E171EB057EE", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc4:*:*:*:*:*:*", "matchCriteriaId": "79F18AFA-40F7-43F0-BA30-7BDB65F918B9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: Fix a memory leak in nr_heartbeat_expiry()\n\nsyzbot reported a memory leak in nr_create() [0].\n\nCommit 409db27e3a2e (\"netrom: Fix use-after-free of a listening socket.\")\nadded sock_hold() to the nr_heartbeat_expiry() function, where\na) a socket has a SOCK_DESTROY flag or\nb) a listening socket has a SOCK_DEAD flag.\n\nBut in the case \"a,\" when the SOCK_DESTROY flag is set, the file descriptor\nhas already been closed and the nr_release() function has been called.\nSo it makes no sense to hold the reference count because no one will\ncall another nr_destroy_socket() and put it as in the case \"b.\"\n\nnr_connect\n  nr_establish_data_link\n    nr_start_heartbeat\n\nnr_release\n  switch (nr->state)\n  case NR_STATE_3\n    nr->state = NR_STATE_2\n    sock_set_flag(sk, SOCK_DESTROY);\n\n                        nr_rx_frame\n                          nr_process_rx_frame\n                            switch (nr->state)\n                            case NR_STATE_2\n                              nr_state2_machine()\n                                nr_disconnect()\n                                  nr_sk(sk)->state = NR_STATE_0\n                                  sock_set_flag(sk, SOCK_DEAD)\n\n                        nr_heartbeat_expiry\n                          switch (nr->state)\n                          case NR_STATE_0\n                            if (sock_flag(sk, SOCK_DESTROY) ||\n                               (sk->sk_state == TCP_LISTEN\n                                 && sock_flag(sk, SOCK_DEAD)))\n                               sock_hold()  // ( !!! )\n                               nr_destroy_socket()\n\nTo fix the memory leak, let's call sock_hold() only for a listening socket.\n\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with Syzkaller.\n\n[0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: netrom: corrige una p\u00e9rdida de memoria en nr_heartbeat_expiry() syzbot inform\u00f3 una p\u00e9rdida de memoria en nr_create() [0]. El commit 409db27e3a2e (\"netrom: Reparar el use-after-free de un socket de escucha\") agreg\u00f3 sock_hold() a la funci\u00f3n nr_heartbeat_expiry(), donde a) un socket tiene un indicador SOCK_DESTROY ob) un socket de escucha tiene un indicador SOCK_DEAD. Pero en el caso \"a\", cuando se establece el indicador SOCK_DESTROY, el descriptor de archivo ya se ha cerrado y se ha llamado a la funci\u00f3n nr_release(). Por lo tanto, no tiene sentido mantener el recuento de referencias porque nadie llamar\u00e1 a otro nr_destroy_socket() y lo pondr\u00e1 como en el caso \"b\". nr_connect nr_establecer_data_link nr_start_heartbeat nr_release interruptor (nr-&gt;estado) caso NR_STATE_3 nr-&gt;estado = NR_STATE_2 sock_set_flag(sk, SOCK_DESTROY); nr_rx_frame nr_process_rx_frame interruptor (nr-&gt;estado) caso NR_STATE_2 nr_state2_machine() nr_disconnect() nr_sk(sk)-&gt;estado = NR_STATE_0 sock_set_flag(sk, SOCK_DEAD) nr_heartbeat_expiry interruptor (nr-&gt;estado) caso NR_STATE_0 if (sock_flag(sk, OCK_DESTROY) || (sk-&gt;sk_state == TCP_LISTEN &amp;&amp; sock_flag(sk, SOCK_DEAD))) sock_hold() // ( !!! ) nr_destroy_socket() Para solucionar la p\u00e9rdida de memoria, llamemos a sock_hold() solo para un socket de escucha. Encontrado por InfoTeCS en nombre del Centro de verificaci\u00f3n de Linux (linuxtesting.org) con Syzkaller. [0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16"}], "id": "CVE-2024-41006", "lastModified": "2024-11-21T09:32:03.057", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-07-12T13:15:21.370", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"], "url": "https://git.kernel.org/stable/c/0b9130247f3b6a1122478471ff0e014ea96bb735"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"], "url": "https://git.kernel.org/stable/c/280cf1173726a7059b628c610c71050d5c0b6937"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"], "url": "https://git.kernel.org/stable/c/5391f9db2cab5ef1cb411be1ab7dbec728078fba"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"], "url": "https://git.kernel.org/stable/c/a02fd5d775cf9787ee7698c797e20f2fa13d2e2b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"], "url": "https://git.kernel.org/stable/c/b6ebe4fed73eedeb73f4540f8edc4871945474c8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"], "url": "https://git.kernel.org/stable/c/d377f5a28332954b19e373d36823e59830ab1712"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"], "url": "https://git.kernel.org/stable/c/d616876256b38ecf9a1a1c7d674192c5346bc69c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"], "url": "https://git.kernel.org/stable/c/e07a9c2a850cdebf625e7a1b8171bd23a8554313"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch"], "url": "https://git.kernel.org/stable/c/0b9130247f3b6a1122478471ff0e014ea96bb735"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch"], "url": "https://git.kernel.org/stable/c/280cf1173726a7059b628c610c71050d5c0b6937"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch"], "url": "https://git.kernel.org/stable/c/5391f9db2cab5ef1cb411be1ab7dbec728078fba"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch"], "url": "https://git.kernel.org/stable/c/a02fd5d775cf9787ee7698c797e20f2fa13d2e2b"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch"], "url": "https://git.kernel.org/stable/c/b6ebe4fed73eedeb73f4540f8edc4871945474c8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch"], "url": "https://git.kernel.org/stable/c/d377f5a28332954b19e373d36823e59830ab1712"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch"], "url": "https://git.kernel.org/stable/c/d616876256b38ecf9a1a1c7d674192c5346bc69c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch"], "url": "https://git.kernel.org/stable/c/e07a9c2a850cdebf625e7a1b8171bd23a8554313"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 0799BB5F-A0F0-4290-872D-24364C18F638 (string)

versionEndExcluding : 4.19.317 (string)

versionStartIncluding : 4.19.272 (string)

vulnerable : true (boolean)

}

1 : { »

criteria : cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 4821FCF8-B57B-4F3C-B3FC-5CFAEA2C6BC5 (string)

versionEndExcluding : 5.4.279 (string)

versionStartIncluding : 5.4.231 (string)

vulnerable : true (boolean)

}

2 : { »

criteria : cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* (string)

matchCriteriaId : E81DAF77-0E91-457C-AC9D-117B2D0BF7CB (string)

versionEndExcluding : 5.10.221 (string)

versionStartIncluding : 5.10.166 (string)

vulnerable : true (boolean)

}

3 : { »

criteria : cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 2E0E5DA0-5043-4127-8316-B0E03B88EE6E (string)

versionEndExcluding : 5.15.162 (string)

versionStartIncluding : 5.15.91 (string)

vulnerable : true (boolean)

}

4 : { »

criteria : cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 012144F5-2368-4D39-ABE2-07E7568304BB (string)

versionEndExcluding : 6.1.96 (string)

versionStartIncluding : 6.1.9 (string)

vulnerable : true (boolean)

}

5 : { »

criteria : cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* (string)

matchCriteriaId : E1046C95-860A-45B0-B718-2B29F65BFF10 (string)

versionEndExcluding : 6.6.36 (string)

versionStartIncluding : 6.2 (string)

vulnerable : true (boolean)

}

6 : { »

criteria : cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 0A047AF2-94AC-4A3A-B32D-6AB930D8EF1C (string)

versionEndExcluding : 6.9.7 (string)

versionStartIncluding : 6.7 (string)

vulnerable : true (boolean)

}

7 : { »

criteria : cpe:2.3:o:linux:linux_kernel:6.10:rc1:*:*:*:*:*:* (string)

matchCriteriaId : 2EBB4392-5FA6-4DA9-9772-8F9C750109FA (string)

vulnerable : true (boolean)

}

8 : { »

criteria : cpe:2.3:o:linux:linux_kernel:6.10:rc2:*:*:*:*:*:* (string)

matchCriteriaId : 331C2F14-12C7-45D5-893D-8C52EE38EA10 (string)

vulnerable : true (boolean)

}

9 : { »

criteria : cpe:2.3:o:linux:linux_kernel:6.10:rc3:*:*:*:*:*:* (string)

matchCriteriaId : 3173713D-909A-4DD3-9DD4-1E171EB057EE (string)

vulnerable : true (boolean)

}

10 : { »

criteria : cpe:2.3:o:linux:linux_kernel:6.10:rc4:*:*:*:*:*:* (string)

matchCriteriaId : 79F18AFA-40F7-43F0-BA30-7BDB65F918B9 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : In the Linux kernel, the following vulnerability has been resolved: netrom: Fix a memory leak in nr_heartbeat_expiry() syzbot reported a memory leak in nr_create() [0]. Commit 409db27e3a2e ("netrom: Fix use-after-free of a listening socket.") added sock_hold() to the nr_heartbeat_expiry() function, where a) a socket has a SOCK_DESTROY flag or b) a listening socket has a SOCK_DEAD flag. But in the case "a," when the SOCK_DESTROY flag is set, the file descriptor has already been closed and the nr_release() function has been called. So it makes no sense to hold the reference count because no one will call another nr_destroy_socket() and put it as in the case "b." nr_connect nr_establish_data_link nr_start_heartbeat nr_release switch (nr->state) case NR_STATE_3 nr->state = NR_STATE_2 sock_set_flag(sk, SOCK_DESTROY); nr_rx_frame nr_process_rx_frame switch (nr->state) case NR_STATE_2 nr_state2_machine() nr_disconnect() nr_sk(sk)->state = NR_STATE_0 sock_set_flag(sk, SOCK_DEAD) nr_heartbeat_expiry switch (nr->state) case NR_STATE_0 if (sock_flag(sk, SOCK_DESTROY) || (sk->sk_state == TCP_LISTEN && sock_flag(sk, SOCK_DEAD))) sock_hold() // ( !!! ) nr_destroy_socket() To fix the memory leak, let's call sock_hold() only for a listening socket. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with Syzkaller. [0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16 (string)

}

1 : { »

lang : es (string)

value : En el kernel de Linux, se resolvió la siguiente vulnerabilidad: netrom: corrige una pérdida de memoria en nr_heartbeat_expiry() syzbot informó una pérdida de memoria en nr_create() [0]. El commit 409db27e3a2e ("netrom: Reparar el use-after-free de un socket de escucha") agregó sock_hold() a la función nr_heartbeat_expiry(), donde a) un socket tiene un indicador SOCK_DESTROY ob) un socket de escucha tiene un indicador SOCK_DEAD. Pero en el caso "a", cuando se establece el indicador SOCK_DESTROY, el descriptor de archivo ya se ha cerrado y se ha llamado a la función nr_release(). Por lo tanto, no tiene sentido mantener el recuento de referencias porque nadie llamará a otro nr_destroy_socket() y lo pondrá como en el caso "b". nr_connect nr_establecer_data_link nr_start_heartbeat nr_release interruptor (nr->estado) caso NR_STATE_3 nr->estado = NR_STATE_2 sock_set_flag(sk, SOCK_DESTROY); nr_rx_frame nr_process_rx_frame interruptor (nr->estado) caso NR_STATE_2 nr_state2_machine() nr_disconnect() nr_sk(sk)->estado = NR_STATE_0 sock_set_flag(sk, SOCK_DEAD) nr_heartbeat_expiry interruptor (nr->estado) caso NR_STATE_0 if (sock_flag(sk, OCK_DESTROY) || (sk->sk_state == TCP_LISTEN && sock_flag(sk, SOCK_DEAD))) sock_hold() // ( !!! ) nr_destroy_socket() Para solucionar la pérdida de memoria, llamemos a sock_hold() solo para un socket de escucha. Encontrado por InfoTeCS en nombre del Centro de verificación de Linux (linuxtesting.org) con Syzkaller. [0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16 (string)

}

]

id : CVE-2024-41006 (string)

lastModified : 2024-11-21T09:32:03.057 (string)

metrics : { »

cvssMetricV31 : [ »

0 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : LOCAL (string)

availabilityImpact : HIGH (string)

baseScore : 5.5 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : NONE (string)

integrityImpact : NONE (string)

privilegesRequired : LOW (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (string)

version : 3.1 (string)

}

exploitabilityScore : 1.8 (number)

impactScore : 3.6 (number)

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

published : 2024-07-12T13:15:21.370 (string)

references : [ »

0 : { »

source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67 (string)

tags : [ »

0 : Mailing List (string)

1 : Patch (string)

]

url : https://git.kernel.org/stable/c/0b9130247f3b6a1122478471ff0e014ea96bb735 (string)

}

1 : { »

source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67 (string)

tags : [ »

0 : Mailing List (string)

1 : Patch (string)

]

url : https://git.kernel.org/stable/c/280cf1173726a7059b628c610c71050d5c0b6937 (string)

}

2 : { »

source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67 (string)

tags : [ »

0 : Mailing List (string)

1 : Patch (string)

]

url : https://git.kernel.org/stable/c/5391f9db2cab5ef1cb411be1ab7dbec728078fba (string)

}

3 : { »

source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67 (string)

tags : [ »

0 : Mailing List (string)

1 : Patch (string)

]

url : https://git.kernel.org/stable/c/a02fd5d775cf9787ee7698c797e20f2fa13d2e2b (string)

}

4 : { »

source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67 (string)

tags : [ »

0 : Mailing List (string)

1 : Patch (string)

]

url : https://git.kernel.org/stable/c/b6ebe4fed73eedeb73f4540f8edc4871945474c8 (string)

}

5 : { »

source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67 (string)

tags : [ »

0 : Mailing List (string)

1 : Patch (string)

]

url : https://git.kernel.org/stable/c/d377f5a28332954b19e373d36823e59830ab1712 (string)

}

6 : { »

source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67 (string)

tags : [ »

0 : Mailing List (string)

1 : Patch (string)

]

url : https://git.kernel.org/stable/c/d616876256b38ecf9a1a1c7d674192c5346bc69c (string)

}

7 : { »

source : 416baaa9-dc9f-4396-8d5f-8c081fb06d67 (string)

tags : [ »

0 : Mailing List (string)

1 : Patch (string)

]

url : https://git.kernel.org/stable/c/e07a9c2a850cdebf625e7a1b8171bd23a8554313 (string)

}

8 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Mailing List (string)

1 : Patch (string)

]

url : https://git.kernel.org/stable/c/0b9130247f3b6a1122478471ff0e014ea96bb735 (string)

}

9 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Mailing List (string)

1 : Patch (string)

]

url : https://git.kernel.org/stable/c/280cf1173726a7059b628c610c71050d5c0b6937 (string)

}

10 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Mailing List (string)

1 : Patch (string)

]

url : https://git.kernel.org/stable/c/5391f9db2cab5ef1cb411be1ab7dbec728078fba (string)

}

11 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Mailing List (string)

1 : Patch (string)

]

url : https://git.kernel.org/stable/c/a02fd5d775cf9787ee7698c797e20f2fa13d2e2b (string)

}

12 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Mailing List (string)

1 : Patch (string)

]

url : https://git.kernel.org/stable/c/b6ebe4fed73eedeb73f4540f8edc4871945474c8 (string)

}

13 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Mailing List (string)

1 : Patch (string)

]

url : https://git.kernel.org/stable/c/d377f5a28332954b19e373d36823e59830ab1712 (string)

}

14 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Mailing List (string)

1 : Patch (string)

]

url : https://git.kernel.org/stable/c/d616876256b38ecf9a1a1c7d674192c5346bc69c (string)

}

15 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Mailing List (string)

1 : Patch (string)

]

url : https://git.kernel.org/stable/c/e07a9c2a850cdebf625e7a1b8171bd23a8554313 (string)

}

]

sourceIdentifier : 416baaa9-dc9f-4396-8d5f-8c081fb06d67 (string)

vulnStatus : Modified (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-401 (string)

}

]

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

Show plain JSON

{"bugzilla": {"description": "kernel: netrom: Fix a memory leak in nr_heartbeat_expiry()", "id": "2297590", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2297590"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-404", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nnetrom: Fix a memory leak in nr_heartbeat_expiry()\nsyzbot reported a memory leak in nr_create() [0].\nCommit 409db27e3a2e (\"netrom: Fix use-after-free of a listening socket.\")\nadded sock_hold() to the nr_heartbeat_expiry() function, where\na) a socket has a SOCK_DESTROY flag or\nb) a listening socket has a SOCK_DEAD flag.\nBut in the case \"a,\" when the SOCK_DESTROY flag is set, the file descriptor\nhas already been closed and the nr_release() function has been called.\nSo it makes no sense to hold the reference count because no one will\ncall another nr_destroy_socket() and put it as in the case \"b.\"\nnr_connect\nnr_establish_data_link\nnr_start_heartbeat\nnr_release\nswitch (nr->state)\ncase NR_STATE_3\nnr->state = NR_STATE_2\nsock_set_flag(sk, SOCK_DESTROY);\nnr_rx_frame\nnr_process_rx_frame\nswitch (nr->state)\ncase NR_STATE_2\nnr_state2_machine()\nnr_disconnect()\nnr_sk(sk)->state = NR_STATE_0\nsock_set_flag(sk, SOCK_DEAD)\nnr_heartbeat_expiry\nswitch (nr->state)\ncase NR_STATE_0\nif (sock_flag(sk, SOCK_DESTROY) ||\n(sk->sk_state == TCP_LISTEN\n&& sock_flag(sk, SOCK_DEAD)))\nsock_hold()  // ( !!! )\nnr_destroy_socket()\nTo fix the memory leak, let's call sock_hold() only for a listening socket.\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with Syzkaller.\n[0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16"], "name": "CVE-2024-41006", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-07-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-41006\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-41006\nhttps://lore.kernel.org/linux-cve-announce/2024071244-CVE-2024-41006-d24b@gregkh/T"], "threat_severity": "Low"}

{

bugzilla : { »

description : kernel: netrom: Fix a memory leak in nr_heartbeat_expiry() (string)

id : 2297590 (string)

url : https://bugzilla.redhat.com/show_bug.cgi?id=2297590 (string)

}

csaw : false (boolean)

cvss3 : { »

cvss3_base_score : 4.7 (string)

cvss3_scoring_vector : CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H (string)

status : draft (string)

}

cwe : CWE-404 (string)

details : [ »

0 : In the Linux kernel, the following vulnerability has been resolved: netrom: Fix a memory leak in nr_heartbeat_expiry() syzbot reported a memory leak in nr_create() [0]. Commit 409db27e3a2e ("netrom: Fix use-after-free of a listening socket.") added sock_hold() to the nr_heartbeat_expiry() function, where a) a socket has a SOCK_DESTROY flag or b) a listening socket has a SOCK_DEAD flag. But in the case "a," when the SOCK_DESTROY flag is set, the file descriptor has already been closed and the nr_release() function has been called. So it makes no sense to hold the reference count because no one will call another nr_destroy_socket() and put it as in the case "b." nr_connect nr_establish_data_link nr_start_heartbeat nr_release switch (nr->state) case NR_STATE_3 nr->state = NR_STATE_2 sock_set_flag(sk, SOCK_DESTROY); nr_rx_frame nr_process_rx_frame switch (nr->state) case NR_STATE_2 nr_state2_machine() nr_disconnect() nr_sk(sk)->state = NR_STATE_0 sock_set_flag(sk, SOCK_DEAD) nr_heartbeat_expiry switch (nr->state) case NR_STATE_0 if (sock_flag(sk, SOCK_DESTROY) || (sk->sk_state == TCP_LISTEN && sock_flag(sk, SOCK_DEAD))) sock_hold() // ( !!! ) nr_destroy_socket() To fix the memory leak, let's call sock_hold() only for a listening socket. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with Syzkaller. [0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16 (string)

]

name : CVE-2024-41006 (string)

package_state : [ »

0 : { »

cpe : cpe:/o:redhat:enterprise_linux:6 (string)

fix_state : Not affected (string)

package_name : kernel (string)

product_name : Red Hat Enterprise Linux 6 (string)

}

1 : { »

cpe : cpe:/o:redhat:enterprise_linux:7 (string)

fix_state : Not affected (string)

package_name : kernel (string)

product_name : Red Hat Enterprise Linux 7 (string)

}

2 : { »

cpe : cpe:/o:redhat:enterprise_linux:7 (string)

fix_state : Not affected (string)

package_name : kernel-rt (string)

product_name : Red Hat Enterprise Linux 7 (string)

}

3 : { »

cpe : cpe:/o:redhat:enterprise_linux:8 (string)

fix_state : Not affected (string)

package_name : kernel (string)

product_name : Red Hat Enterprise Linux 8 (string)

}

4 : { »

cpe : cpe:/o:redhat:enterprise_linux:8 (string)

fix_state : Not affected (string)

package_name : kernel-rt (string)

product_name : Red Hat Enterprise Linux 8 (string)

}

5 : { »

cpe : cpe:/o:redhat:enterprise_linux:9 (string)

fix_state : Not affected (string)

package_name : kernel (string)

product_name : Red Hat Enterprise Linux 9 (string)

}

6 : { »

cpe : cpe:/o:redhat:enterprise_linux:9 (string)

fix_state : Not affected (string)

package_name : kernel-rt (string)

product_name : Red Hat Enterprise Linux 9 (string)

}

]

public_date : 2024-07-12T00:00:00Z (string)

references : [ »

0 : https://www.cve.org/CVERecord?id=CVE-2024-41006 https://nvd.nist.gov/vuln/detail/CVE-2024-41006 https://lore.kernel.org/linux-cve-announce/2024071244-CVE-2024-41006-d24b@gregkh/T (string)

]

threat_severity : Low (string)

}

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object