Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

CVE-2024-41006— netrom: Fix a memory leak in nr_heartbeat_expiry()

EPSS 0.02% · P6

Affected Version Matrix 19

VendorProductVersion RangeStatus
LinuxLinuxa31caf5779ace8fa98b0d454133808e082ee7a1b< d616876256b38ecf9a1a1c7d674192c5346bc69caffected
fe9b9e621cebe6b7e83f7e954c70f8bb430520e5< e07a9c2a850cdebf625e7a1b8171bd23a8554313affected
7de16d75b20ab13b75a7291f449a1b00090edfea< 5391f9db2cab5ef1cb411be1ab7dbec728078fbaaffected
d2d3ab1b1de3302de2c85769121fd4f890e47ceb< 280cf1173726a7059b628c610c71050d5c0b6937affected
51e394c6f81adbfe7c34d15f58b3d4d44f144acf< a02fd5d775cf9787ee7698c797e20f2fa13d2e2baffected
409db27e3a2eb5e8ef7226ca33be33361b3ed1c9< b6ebe4fed73eedeb73f4540f8edc4871945474c8affected
409db27e3a2eb5e8ef7226ca33be33361b3ed1c9< d377f5a28332954b19e373d36823e59830ab1712affected
409db27e3a2eb5e8ef7226ca33be33361b3ed1c9< 0b9130247f3b6a1122478471ff0e014ea96bb735affected
… +11 more rows
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2024-41006

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
netrom: Fix a memory leak in nr_heartbeat_expiry()
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: netrom: Fix a memory leak in nr_heartbeat_expiry() syzbot reported a memory leak in nr_create() [0]. Commit 409db27e3a2e ("netrom: Fix use-after-free of a listening socket.") added sock_hold() to the nr_heartbeat_expiry() function, where a) a socket has a SOCK_DESTROY flag or b) a listening socket has a SOCK_DEAD flag. But in the case "a," when the SOCK_DESTROY flag is set, the file descriptor has already been closed and the nr_release() function has been called. So it makes no sense to hold the reference count because no one will call another nr_destroy_socket() and put it as in the case "b." nr_connect nr_establish_data_link nr_start_heartbeat nr_release switch (nr->state) case NR_STATE_3 nr->state = NR_STATE_2 sock_set_flag(sk, SOCK_DESTROY); nr_rx_frame nr_process_rx_frame switch (nr->state) case NR_STATE_2 nr_state2_machine() nr_disconnect() nr_sk(sk)->state = NR_STATE_0 sock_set_flag(sk, SOCK_DEAD) nr_heartbeat_expiry switch (nr->state) case NR_STATE_0 if (sock_flag(sk, SOCK_DESTROY) || (sk->sk_state == TCP_LISTEN && sock_flag(sk, SOCK_DEAD))) sock_hold() // ( !!! ) nr_destroy_socket() To fix the memory leak, let's call sock_hold() only for a listening socket. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with Syzkaller. [0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel 存在安全漏洞,该漏洞源于 netrom 组件在 nr_heartbeat_expiry 函数中存在内存泄漏。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux a31caf5779ace8fa98b0d454133808e082ee7a1b ~ d616876256b38ecf9a1a1c7d674192c5346bc69c -
LinuxLinux 6.2 -

II. Public POCs for CVE-2024-41006

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2024-41006

登录查看更多情报信息。

Same Patch Batch · Linux · 2024-07-12 · 122 CVEs total

CVE-2024-40959xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()
CVE-2024-40974powerpc/pseries: Enforce hcall result buffer validity and size
CVE-2024-40973media: mtk-vcodec: potential null pointer deference in SCP
CVE-2024-40972ext4: do not create EA inode under buffer lock
CVE-2024-40970Avoid hw_desc array overrun in dw-axi-dmac
CVE-2024-40971f2fs: remove clear SB_INLINECRYPT flag in default_options
CVE-2024-40969f2fs: don't set RO when shutting down f2fs
CVE-2024-40967serial: imx: Introduce timeout when waiting on transmitter empty
CVE-2024-40968MIPS: Octeon: Add PCIe link status check
CVE-2024-40966tty: add the option to have a tty reject a new ldisc
CVE-2024-40965i2c: lpi2c: Avoid calling clk_get_rate during transfer
CVE-2024-40964ALSA: hda: cs35l41: Possible null pointer dereference in cs35l41_hda_unbind()
CVE-2024-40963mips: bmips: BCM6358: make sure CBR is correctly set
CVE-2024-40961ipv6: prevent possible NULL deref in fib6_nh_init()
CVE-2024-40962btrfs: zoned: allocate dummy checksums for zoned NODATASUM writes
CVE-2024-40960ipv6: prevent possible NULL dereference in rt6_probe()
CVE-2024-40950mm: huge_memory: fix misused mapping_large_folio_support() for anon folios
CVE-2024-40949mm: shmem: fix getting incorrect lruvec when replacing a shmem folio
CVE-2024-40947ima: Avoid blocking in RCU read-side critical section
CVE-2024-40951ocfs2: fix NULL pointer dereference in ocfs2_abort_trigger()

Showing top 20 of 122 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2024-41006

No comments yet

Leave a comment