CVE-2024-41006: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: netrom: Fix a memory leak in nr_heartbeat_expiry() syzbot reported a memory leak in nr_create() [0]. Commit 409db27e3a2e ("netrom: Fix use-after-free of a listening socket.") added sock_hold() to the nr_heartbeat_expiry() function, where a) a socket has a SOCK_DESTROY flag or b) a listening socket has a SOCK_DEAD flag. But in the case "a," when the SOCK_DESTROY flag is set, the file descriptor has already been closed and the nr_release() function has been called. So it makes no sense to hold the reference count because no one will call another nr_destroy_socket() and put it as in the case "b." nr_connect nr_establish_data_link nr_start_heartbeat nr_release switch (nr->state) case NR_STATE_3 nr->state = NR_STATE_2 sock_set_flag(sk, SOCK_DESTROY); nr_rx_frame nr_process_rx_frame switch (nr->state) case NR_STATE_2 nr_state2_machine() nr_disconnect() nr_sk(sk)->state = NR_STATE_0 sock_set_flag(sk, SOCK_DEAD) nr_heartbeat_expiry switch (nr->state) case NR_STATE_0 if (sock_flag(sk, SOCK_DESTROY) || (sk->sk_state == TCP_LISTEN && sock_flag(sk, SOCK_DEAD))) sock_hold() // ( !!! ) nr_destroy_socket() To fix the memory leak, let's call sock_hold() only for a listening socket. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with Syzkaller. [0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16
AI Analysis
Technical Summary
CVE-2024-41006 addresses a memory leak vulnerability in the Linux kernel's netrom protocol implementation, specifically within the nr_heartbeat_expiry() function. The netrom protocol is a networking protocol used primarily for amateur radio packet networks. The vulnerability was identified through syzbot, an automated kernel fuzzing tool, which reported a memory leak in the nr_create() function. The root cause stems from incorrect reference counting management related to socket states and flags. In particular, the patch fixed an issue where sock_hold() was called on a socket with the SOCK_DESTROY flag set, even though the file descriptor had already been closed and nr_release() had been called. This led to a memory leak because the reference count was unnecessarily incremented without a corresponding decrement, preventing proper resource cleanup. The fix ensures sock_hold() is only called for listening sockets with the SOCK_DEAD flag, where it is appropriate to maintain the reference count. The vulnerability involves complex state transitions of the netrom socket states (NR_STATE_0, NR_STATE_2, NR_STATE_3) and the handling of socket flags (SOCK_DESTROY and SOCK_DEAD) during connection establishment, heartbeat expiry, and socket release. Although the vulnerability does not appear to allow direct code execution or privilege escalation, the memory leak could degrade system stability over time, especially on systems heavily utilizing the netrom protocol. The affected versions include multiple Linux kernel commits prior to the fix, and the issue was responsibly disclosed by InfoTeCS on behalf of the Linux Verification Center using Syzkaller. There are no known exploits in the wild at this time, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2024-41006 is primarily related to system reliability and availability rather than direct compromise of confidentiality or integrity. Organizations running Linux systems with netrom protocol support—often niche or specialized environments such as amateur radio networks, research institutions, or certain industrial control systems—may experience memory leaks leading to resource exhaustion. Over time, this could cause degraded performance, system crashes, or forced reboots, impacting operational continuity. While the netrom protocol is not widely used in mainstream enterprise environments, certain sectors in Europe with specialized communication needs (e.g., emergency services, research labs, or hobbyist communities) could be affected. The vulnerability does not appear to facilitate remote code execution or privilege escalation, limiting its use as an attack vector for broader cyberattacks. However, persistent memory leaks can be exploited by attackers to cause denial-of-service conditions, which could disrupt critical services. Given the Linux kernel's widespread use across European infrastructure, ensuring all kernel components are patched is essential to maintain system stability and security.
Mitigation Recommendations
1. Apply the official Linux kernel patch that addresses CVE-2024-41006 as soon as it becomes available in your distribution's kernel updates. 2. For organizations using custom or embedded Linux kernels with netrom support, backport the fix from the relevant commit (409db27e3a2e) to ensure the memory leak is resolved. 3. Monitor systems running netrom protocol for unusual memory usage patterns or resource exhaustion symptoms that could indicate the presence of this memory leak. 4. Limit or disable netrom protocol usage if it is not required, reducing the attack surface and exposure to this vulnerability. 5. Implement robust system monitoring and alerting to detect early signs of memory leaks or socket resource mismanagement. 6. Conduct regular kernel updates and vulnerability assessments to ensure all known issues are addressed promptly. 7. Engage with Linux kernel maintainers or community forums for additional guidance on mitigating netrom-related vulnerabilities in specialized environments.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy
CVE-2024-41006: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: netrom: Fix a memory leak in nr_heartbeat_expiry() syzbot reported a memory leak in nr_create() [0]. Commit 409db27e3a2e ("netrom: Fix use-after-free of a listening socket.") added sock_hold() to the nr_heartbeat_expiry() function, where a) a socket has a SOCK_DESTROY flag or b) a listening socket has a SOCK_DEAD flag. But in the case "a," when the SOCK_DESTROY flag is set, the file descriptor has already been closed and the nr_release() function has been called. So it makes no sense to hold the reference count because no one will call another nr_destroy_socket() and put it as in the case "b." nr_connect nr_establish_data_link nr_start_heartbeat nr_release switch (nr->state) case NR_STATE_3 nr->state = NR_STATE_2 sock_set_flag(sk, SOCK_DESTROY); nr_rx_frame nr_process_rx_frame switch (nr->state) case NR_STATE_2 nr_state2_machine() nr_disconnect() nr_sk(sk)->state = NR_STATE_0 sock_set_flag(sk, SOCK_DEAD) nr_heartbeat_expiry switch (nr->state) case NR_STATE_0 if (sock_flag(sk, SOCK_DESTROY) || (sk->sk_state == TCP_LISTEN && sock_flag(sk, SOCK_DEAD))) sock_hold() // ( !!! ) nr_destroy_socket() To fix the memory leak, let's call sock_hold() only for a listening socket. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with Syzkaller. [0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16
AI-Powered Analysis
Technical Analysis
CVE-2024-41006 addresses a memory leak vulnerability in the Linux kernel's netrom protocol implementation, specifically within the nr_heartbeat_expiry() function. The netrom protocol is a networking protocol used primarily for amateur radio packet networks. The vulnerability was identified through syzbot, an automated kernel fuzzing tool, which reported a memory leak in the nr_create() function. The root cause stems from incorrect reference counting management related to socket states and flags. In particular, the patch fixed an issue where sock_hold() was called on a socket with the SOCK_DESTROY flag set, even though the file descriptor had already been closed and nr_release() had been called. This led to a memory leak because the reference count was unnecessarily incremented without a corresponding decrement, preventing proper resource cleanup. The fix ensures sock_hold() is only called for listening sockets with the SOCK_DEAD flag, where it is appropriate to maintain the reference count. The vulnerability involves complex state transitions of the netrom socket states (NR_STATE_0, NR_STATE_2, NR_STATE_3) and the handling of socket flags (SOCK_DESTROY and SOCK_DEAD) during connection establishment, heartbeat expiry, and socket release. Although the vulnerability does not appear to allow direct code execution or privilege escalation, the memory leak could degrade system stability over time, especially on systems heavily utilizing the netrom protocol. The affected versions include multiple Linux kernel commits prior to the fix, and the issue was responsibly disclosed by InfoTeCS on behalf of the Linux Verification Center using Syzkaller. There are no known exploits in the wild at this time, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2024-41006 is primarily related to system reliability and availability rather than direct compromise of confidentiality or integrity. Organizations running Linux systems with netrom protocol support—often niche or specialized environments such as amateur radio networks, research institutions, or certain industrial control systems—may experience memory leaks leading to resource exhaustion. Over time, this could cause degraded performance, system crashes, or forced reboots, impacting operational continuity. While the netrom protocol is not widely used in mainstream enterprise environments, certain sectors in Europe with specialized communication needs (e.g., emergency services, research labs, or hobbyist communities) could be affected. The vulnerability does not appear to facilitate remote code execution or privilege escalation, limiting its use as an attack vector for broader cyberattacks. However, persistent memory leaks can be exploited by attackers to cause denial-of-service conditions, which could disrupt critical services. Given the Linux kernel's widespread use across European infrastructure, ensuring all kernel components are patched is essential to maintain system stability and security.
Mitigation Recommendations
1. Apply the official Linux kernel patch that addresses CVE-2024-41006 as soon as it becomes available in your distribution's kernel updates. 2. For organizations using custom or embedded Linux kernels with netrom support, backport the fix from the relevant commit (409db27e3a2e) to ensure the memory leak is resolved. 3. Monitor systems running netrom protocol for unusual memory usage patterns or resource exhaustion symptoms that could indicate the presence of this memory leak. 4. Limit or disable netrom protocol usage if it is not required, reducing the attack surface and exposure to this vulnerability. 5. Implement robust system monitoring and alerting to detect early signs of memory leaks or socket resource mismanagement. 6. Conduct regular kernel updates and vulnerability assessments to ensure all known issues are addressed promptly. 7. Engage with Linux kernel maintainers or community forums for additional guidance on mitigating netrom-related vulnerabilities in specialized environments.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-12T12:17:45.610Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9821c4522896dcbddf03
Added to database: 5/21/2025, 9:08:49 AM
Last enriched: 6/28/2025, 4:25:08 AM
Last updated: 8/16/2025, 4:56:26 AM
Views: 12
Related Threats
CVE-2025-9139: Information Disclosure in Scada-LTS
MediumCVE-2025-43740: CWE-79: Cross-site Scripting in Liferay Portal
MediumCVE-2025-9138: Cross Site Scripting in Scada-LTS
MediumCVE-2025-9137: Cross Site Scripting in Scada-LTS
MediumCVE-2025-9136: Out-of-Bounds Read in libretro RetroArch
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.