CVE-2024-36009: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ax25: Fix netdev refcount issue The dev_tracker is added to ax25_cb in ax25_bind(). When the ax25 device is detaching, the dev_tracker of ax25_cb should be deallocated in ax25_kill_by_device() instead of the dev_tracker of ax25_dev. The log reported by ref_tracker is shown below: [ 80.884935] ref_tracker: reference already released. [ 80.885150] ref_tracker: allocated in: [ 80.885349] ax25_dev_device_up+0x105/0x540 [ 80.885730] ax25_device_event+0xa4/0x420 [ 80.885730] notifier_call_chain+0xc9/0x1e0 [ 80.885730] __dev_notify_flags+0x138/0x280 [ 80.885730] dev_change_flags+0xd7/0x180 [ 80.885730] dev_ifsioc+0x6a9/0xa30 [ 80.885730] dev_ioctl+0x4d8/0xd90 [ 80.885730] sock_do_ioctl+0x1c2/0x2d0 [ 80.885730] sock_ioctl+0x38b/0x4f0 [ 80.885730] __se_sys_ioctl+0xad/0xf0 [ 80.885730] do_syscall_64+0xc4/0x1b0 [ 80.885730] entry_SYSCALL_64_after_hwframe+0x67/0x6f [ 80.885730] ref_tracker: freed in: [ 80.885730] ax25_device_event+0x272/0x420 [ 80.885730] notifier_call_chain+0xc9/0x1e0 [ 80.885730] dev_close_many+0x272/0x370 [ 80.885730] unregister_netdevice_many_notify+0x3b5/0x1180 [ 80.885730] unregister_netdev+0xcf/0x120 [ 80.885730] sixpack_close+0x11f/0x1b0 [ 80.885730] tty_ldisc_kill+0xcb/0x190 [ 80.885730] tty_ldisc_hangup+0x338/0x3d0 [ 80.885730] __tty_hangup+0x504/0x740 [ 80.885730] tty_release+0x46e/0xd80 [ 80.885730] __fput+0x37f/0x770 [ 80.885730] __x64_sys_close+0x7b/0xb0 [ 80.885730] do_syscall_64+0xc4/0x1b0 [ 80.885730] entry_SYSCALL_64_after_hwframe+0x67/0x6f [ 80.893739] ------------[ cut here ]------------ [ 80.894030] WARNING: CPU: 2 PID: 140 at lib/ref_tracker.c:255 ref_tracker_free+0x47b/0x6b0 [ 80.894297] Modules linked in: [ 80.894929] CPU: 2 PID: 140 Comm: ax25_conn_rel_6 Not tainted 6.9.0-rc4-g8cd26fd90c1a #11 [ 80.895190] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qem4 [ 80.895514] RIP: 0010:ref_tracker_free+0x47b/0x6b0 [ 80.895808] Code: 83 c5 18 4c 89 eb 48 c1 eb 03 8a 04 13 84 c0 0f 85 df 01 00 00 41 83 7d 00 00 75 4b 4c 89 ff 9 [ 80.896171] RSP: 0018:ffff888009edf8c0 EFLAGS: 00000286 [ 80.896339] RAX: 1ffff1100141ac00 RBX: 1ffff1100149463b RCX: dffffc0000000000 [ 80.896502] RDX: 0000000000000001 RSI: 0000000000000246 RDI: ffff88800a0d6518 [ 80.896925] RBP: ffff888009edf9b0 R08: ffff88806d3288d3 R09: 1ffff1100da6511a [ 80.897212] R10: dffffc0000000000 R11: ffffed100da6511b R12: ffff88800a4a31d4 [ 80.897859] R13: ffff88800a4a31d8 R14: dffffc0000000000 R15: ffff88800a0d6518 [ 80.898279] FS: 00007fd88b7fe700(0000) GS:ffff88806d300000(0000) knlGS:0000000000000000 [ 80.899436] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 80.900181] CR2: 00007fd88c001d48 CR3: 000000000993e000 CR4: 00000000000006f0 ... [ 80.935774] ref_tracker: sp%d@000000000bb9df3d has 1/1 users at [ 80.935774] ax25_bind+0x424/0x4e0 [ 80.935774] __sys_bind+0x1d9/0x270 [ 80.935774] __x64_sys_bind+0x75/0x80 [ 80.935774] do_syscall_64+0xc4/0x1b0 [ 80.935774] entry_SYSCALL_64_after_hwframe+0x67/0x6f Change ax25_dev->dev_tracker to the dev_tracker of ax25_cb in order to mitigate the bug.
AI Analysis
Technical Summary
CVE-2024-36009 is a vulnerability identified in the Linux kernel specifically related to the AX.25 protocol implementation, which is used primarily for amateur radio packet communications. The issue arises from improper reference counting management in the network device tracking mechanism within the AX.25 subsystem. The vulnerability is due to the incorrect deallocation of a dev_tracker reference. Instead of deallocating the dev_tracker associated with the ax25_cb (control block) during device detachment, the kernel erroneously attempts to deallocate the dev_tracker of ax25_dev (the device structure). This leads to a use-after-free or double-free condition, as indicated by the kernel logs showing "reference already released" warnings and subsequent kernel warnings and stack traces. The root cause is a mismatch in the lifecycle management of the dev_tracker objects, which are used to track references to network devices to prevent premature freeing. The fix involves changing the code to correctly free the dev_tracker associated with ax25_cb in the ax25_kill_by_device() function, ensuring proper reference counting and preventing the kernel from attempting to free already released references. This vulnerability can cause kernel instability, including warnings, potential crashes, or denial of service due to kernel panics. While no known exploits are reported in the wild, the flaw could be triggered by local users or processes interacting with the AX.25 network interface, potentially leading to system crashes or other unpredictable kernel behavior. The affected versions include multiple recent Linux kernel commits, indicating the issue is present in recent kernel versions prior to the patch. The vulnerability does not require remote exploitation but does require local access to interact with the AX.25 subsystem, which is a niche protocol mostly used in amateur radio contexts. However, the Linux kernel is widely used across many systems, so the impact depends on whether the AX.25 protocol is enabled or used on the affected system.
Potential Impact
For European organizations, the impact of CVE-2024-36009 is generally limited due to the specialized nature of the AX.25 protocol, which is not commonly used in mainstream enterprise or cloud environments. However, organizations involved in amateur radio, emergency communication networks, or specialized industrial or research applications that utilize AX.25 could be affected. Exploitation could lead to kernel crashes or denial of service, impacting system availability. In critical infrastructure or emergency communication setups where AX.25 is used, this could disrupt operations. Additionally, any Linux-based system with AX.25 enabled and accessible to untrusted local users or processes could be vulnerable to local denial of service attacks. Since the vulnerability requires local interaction and does not have known remote exploits, the risk to typical enterprise environments is low. However, kernel instability can have cascading effects, especially in systems requiring high availability or real-time communication. The vulnerability also highlights the importance of proper kernel maintenance and patching to avoid subtle reference counting bugs that can degrade system reliability.
Mitigation Recommendations
1. Apply the official Linux kernel patch that corrects the dev_tracker deallocation logic in the AX.25 subsystem as soon as it becomes available from trusted kernel sources or distributions. 2. For organizations not using AX.25, consider disabling the AX.25 kernel module or related network interfaces to eliminate the attack surface. 3. Restrict local user access and permissions to prevent unauthorized interaction with AX.25 interfaces, limiting exposure to local exploitation. 4. Monitor kernel logs for ref_tracker warnings or unusual messages related to AX.25 to detect potential exploitation attempts or instability. 5. In environments where AX.25 is critical, implement kernel live patching or rapid update mechanisms to minimize downtime and exposure. 6. Conduct thorough testing of kernel updates in staging environments to ensure stability before deployment in production, especially for systems with specialized network protocols. 7. Educate system administrators and security teams about this niche vulnerability to ensure awareness and prompt response.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland
CVE-2024-36009: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ax25: Fix netdev refcount issue The dev_tracker is added to ax25_cb in ax25_bind(). When the ax25 device is detaching, the dev_tracker of ax25_cb should be deallocated in ax25_kill_by_device() instead of the dev_tracker of ax25_dev. The log reported by ref_tracker is shown below: [ 80.884935] ref_tracker: reference already released. [ 80.885150] ref_tracker: allocated in: [ 80.885349] ax25_dev_device_up+0x105/0x540 [ 80.885730] ax25_device_event+0xa4/0x420 [ 80.885730] notifier_call_chain+0xc9/0x1e0 [ 80.885730] __dev_notify_flags+0x138/0x280 [ 80.885730] dev_change_flags+0xd7/0x180 [ 80.885730] dev_ifsioc+0x6a9/0xa30 [ 80.885730] dev_ioctl+0x4d8/0xd90 [ 80.885730] sock_do_ioctl+0x1c2/0x2d0 [ 80.885730] sock_ioctl+0x38b/0x4f0 [ 80.885730] __se_sys_ioctl+0xad/0xf0 [ 80.885730] do_syscall_64+0xc4/0x1b0 [ 80.885730] entry_SYSCALL_64_after_hwframe+0x67/0x6f [ 80.885730] ref_tracker: freed in: [ 80.885730] ax25_device_event+0x272/0x420 [ 80.885730] notifier_call_chain+0xc9/0x1e0 [ 80.885730] dev_close_many+0x272/0x370 [ 80.885730] unregister_netdevice_many_notify+0x3b5/0x1180 [ 80.885730] unregister_netdev+0xcf/0x120 [ 80.885730] sixpack_close+0x11f/0x1b0 [ 80.885730] tty_ldisc_kill+0xcb/0x190 [ 80.885730] tty_ldisc_hangup+0x338/0x3d0 [ 80.885730] __tty_hangup+0x504/0x740 [ 80.885730] tty_release+0x46e/0xd80 [ 80.885730] __fput+0x37f/0x770 [ 80.885730] __x64_sys_close+0x7b/0xb0 [ 80.885730] do_syscall_64+0xc4/0x1b0 [ 80.885730] entry_SYSCALL_64_after_hwframe+0x67/0x6f [ 80.893739] ------------[ cut here ]------------ [ 80.894030] WARNING: CPU: 2 PID: 140 at lib/ref_tracker.c:255 ref_tracker_free+0x47b/0x6b0 [ 80.894297] Modules linked in: [ 80.894929] CPU: 2 PID: 140 Comm: ax25_conn_rel_6 Not tainted 6.9.0-rc4-g8cd26fd90c1a #11 [ 80.895190] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qem4 [ 80.895514] RIP: 0010:ref_tracker_free+0x47b/0x6b0 [ 80.895808] Code: 83 c5 18 4c 89 eb 48 c1 eb 03 8a 04 13 84 c0 0f 85 df 01 00 00 41 83 7d 00 00 75 4b 4c 89 ff 9 [ 80.896171] RSP: 0018:ffff888009edf8c0 EFLAGS: 00000286 [ 80.896339] RAX: 1ffff1100141ac00 RBX: 1ffff1100149463b RCX: dffffc0000000000 [ 80.896502] RDX: 0000000000000001 RSI: 0000000000000246 RDI: ffff88800a0d6518 [ 80.896925] RBP: ffff888009edf9b0 R08: ffff88806d3288d3 R09: 1ffff1100da6511a [ 80.897212] R10: dffffc0000000000 R11: ffffed100da6511b R12: ffff88800a4a31d4 [ 80.897859] R13: ffff88800a4a31d8 R14: dffffc0000000000 R15: ffff88800a0d6518 [ 80.898279] FS: 00007fd88b7fe700(0000) GS:ffff88806d300000(0000) knlGS:0000000000000000 [ 80.899436] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 80.900181] CR2: 00007fd88c001d48 CR3: 000000000993e000 CR4: 00000000000006f0 ... [ 80.935774] ref_tracker: sp%d@000000000bb9df3d has 1/1 users at [ 80.935774] ax25_bind+0x424/0x4e0 [ 80.935774] __sys_bind+0x1d9/0x270 [ 80.935774] __x64_sys_bind+0x75/0x80 [ 80.935774] do_syscall_64+0xc4/0x1b0 [ 80.935774] entry_SYSCALL_64_after_hwframe+0x67/0x6f Change ax25_dev->dev_tracker to the dev_tracker of ax25_cb in order to mitigate the bug.
AI-Powered Analysis
Technical Analysis
CVE-2024-36009 is a vulnerability identified in the Linux kernel specifically related to the AX.25 protocol implementation, which is used primarily for amateur radio packet communications. The issue arises from improper reference counting management in the network device tracking mechanism within the AX.25 subsystem. The vulnerability is due to the incorrect deallocation of a dev_tracker reference. Instead of deallocating the dev_tracker associated with the ax25_cb (control block) during device detachment, the kernel erroneously attempts to deallocate the dev_tracker of ax25_dev (the device structure). This leads to a use-after-free or double-free condition, as indicated by the kernel logs showing "reference already released" warnings and subsequent kernel warnings and stack traces. The root cause is a mismatch in the lifecycle management of the dev_tracker objects, which are used to track references to network devices to prevent premature freeing. The fix involves changing the code to correctly free the dev_tracker associated with ax25_cb in the ax25_kill_by_device() function, ensuring proper reference counting and preventing the kernel from attempting to free already released references. This vulnerability can cause kernel instability, including warnings, potential crashes, or denial of service due to kernel panics. While no known exploits are reported in the wild, the flaw could be triggered by local users or processes interacting with the AX.25 network interface, potentially leading to system crashes or other unpredictable kernel behavior. The affected versions include multiple recent Linux kernel commits, indicating the issue is present in recent kernel versions prior to the patch. The vulnerability does not require remote exploitation but does require local access to interact with the AX.25 subsystem, which is a niche protocol mostly used in amateur radio contexts. However, the Linux kernel is widely used across many systems, so the impact depends on whether the AX.25 protocol is enabled or used on the affected system.
Potential Impact
For European organizations, the impact of CVE-2024-36009 is generally limited due to the specialized nature of the AX.25 protocol, which is not commonly used in mainstream enterprise or cloud environments. However, organizations involved in amateur radio, emergency communication networks, or specialized industrial or research applications that utilize AX.25 could be affected. Exploitation could lead to kernel crashes or denial of service, impacting system availability. In critical infrastructure or emergency communication setups where AX.25 is used, this could disrupt operations. Additionally, any Linux-based system with AX.25 enabled and accessible to untrusted local users or processes could be vulnerable to local denial of service attacks. Since the vulnerability requires local interaction and does not have known remote exploits, the risk to typical enterprise environments is low. However, kernel instability can have cascading effects, especially in systems requiring high availability or real-time communication. The vulnerability also highlights the importance of proper kernel maintenance and patching to avoid subtle reference counting bugs that can degrade system reliability.
Mitigation Recommendations
1. Apply the official Linux kernel patch that corrects the dev_tracker deallocation logic in the AX.25 subsystem as soon as it becomes available from trusted kernel sources or distributions. 2. For organizations not using AX.25, consider disabling the AX.25 kernel module or related network interfaces to eliminate the attack surface. 3. Restrict local user access and permissions to prevent unauthorized interaction with AX.25 interfaces, limiting exposure to local exploitation. 4. Monitor kernel logs for ref_tracker warnings or unusual messages related to AX.25 to detect potential exploitation attempts or instability. 5. In environments where AX.25 is critical, implement kernel live patching or rapid update mechanisms to minimize downtime and exposure. 6. Conduct thorough testing of kernel updates in staging environments to ensure stability before deployment in production, especially for systems with specialized network protocols. 7. Educate system administrators and security teams about this niche vulnerability to ensure awareness and prompt response.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-17T13:50:33.152Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9821c4522896dcbddce1
Added to database: 5/21/2025, 9:08:49 AM
Last enriched: 6/28/2025, 3:27:38 AM
Last updated: 8/16/2025, 10:12:21 PM
Views: 15
Related Threats
CVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.