CVE-2024-50231: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: iio: gts-helper: Fix memory leaks in iio_gts_build_avail_scale_table() modprobe iio-test-gts and rmmod it, then the following memory leak occurs: unreferenced object 0xffffff80c810be00 (size 64): comm "kunit_try_catch", pid 1654, jiffies 4294913981 hex dump (first 32 bytes): 02 00 00 00 08 00 00 00 20 00 00 00 40 00 00 00 ........ ...@... 80 00 00 00 00 02 00 00 00 04 00 00 00 08 00 00 ................ backtrace (crc a63d875e): [<0000000028c1b3c2>] kmemleak_alloc+0x34/0x40 [<000000001d6ecc87>] __kmalloc_noprof+0x2bc/0x3c0 [<00000000393795c1>] devm_iio_init_iio_gts+0x4b4/0x16f4 [<0000000071bb4b09>] 0xffffffdf052a62e0 [<000000000315bc18>] 0xffffffdf052a6488 [<00000000f9dc55b5>] kunit_try_run_case+0x13c/0x3ac [<00000000175a3fd4>] kunit_generic_run_threadfn_adapter+0x80/0xec [<00000000f505065d>] kthread+0x2e8/0x374 [<00000000bbfb0e5d>] ret_from_fork+0x10/0x20 unreferenced object 0xffffff80cbfe9e70 (size 16): comm "kunit_try_catch", pid 1658, jiffies 4294914015 hex dump (first 16 bytes): 10 00 00 00 40 00 00 00 80 00 00 00 00 00 00 00 ....@........... backtrace (crc 857f0cb4): [<0000000028c1b3c2>] kmemleak_alloc+0x34/0x40 [<000000001d6ecc87>] __kmalloc_noprof+0x2bc/0x3c0 [<00000000393795c1>] devm_iio_init_iio_gts+0x4b4/0x16f4 [<0000000071bb4b09>] 0xffffffdf052a62e0 [<000000007d089d45>] 0xffffffdf052a6864 [<00000000f9dc55b5>] kunit_try_run_case+0x13c/0x3ac [<00000000175a3fd4>] kunit_generic_run_threadfn_adapter+0x80/0xec [<00000000f505065d>] kthread+0x2e8/0x374 [<00000000bbfb0e5d>] ret_from_fork+0x10/0x20 ...... It includes 5*5 times "size 64" memory leaks, which correspond to 5 times test_init_iio_gain_scale() calls with gts_test_gains size 10 (10*size(int)) and gts_test_itimes size 5. It also includes 5*1 times "size 16" memory leak, which correspond to one time __test_init_iio_gain_scale() call with gts_test_gains_gain_low size 3 (3*size(int)) and gts_test_itimes size 5. The reason is that the per_time_gains[i] is not freed which is allocated in the "gts->num_itime" for loop in iio_gts_build_avail_scale_table().
AI Analysis
Technical Summary
CVE-2024-50231 is a vulnerability identified in the Linux kernel specifically within the Industrial I/O (IIO) subsystem's gts-helper component. The flaw involves memory leaks in the function iio_gts_build_avail_scale_table(). The vulnerability manifests when the kernel module iio-test-gts is loaded (modprobe) and subsequently unloaded (rmmod), causing unreleased memory allocations. Detailed analysis shows multiple memory leaks of sizes 64 bytes and 16 bytes, corresponding to repeated calls to test_init_iio_gain_scale() and __test_init_iio_gain_scale() functions with various gain and itime parameters. The root cause is the failure to free the per_time_gains[i] allocations within the loop iterating over gts->num_itime in the affected function. This results in unreclaimed kernel memory, which can accumulate over time during repeated module load/unload cycles or test executions. The vulnerability is not associated with any known exploits in the wild and does not have an assigned CVSS score. The issue is primarily a resource management flaw rather than a direct code execution or privilege escalation vulnerability. However, persistent memory leaks in kernel space can degrade system stability and performance, potentially leading to denial of service (DoS) conditions on affected systems. The vulnerability affects specific Linux kernel versions identified by the commit hashes provided, and it is relevant to environments utilizing the IIO subsystem and the gts-helper module, often related to sensor data processing and testing frameworks within Linux. The vulnerability was published on November 9, 2024, and remains unpatched as per the provided data.
Potential Impact
For European organizations, the impact of CVE-2024-50231 is primarily related to system reliability and availability. Organizations running Linux-based systems that utilize the Industrial I/O subsystem, particularly those employing the gts-helper module for sensor data or testing purposes, may experience gradual memory exhaustion due to unreleased kernel memory. This can lead to degraded system performance, increased kernel memory pressure, and in worst cases, system crashes or forced reboots, resulting in denial of service. Critical infrastructure sectors such as manufacturing, automotive, telecommunications, and research institutions that rely on sensor data processing and Linux-based embedded systems could be affected. Although this vulnerability does not directly expose confidentiality or integrity risks, the availability impact can disrupt operations, especially in environments requiring high uptime and reliability. The lack of known exploits reduces immediate risk, but unpatched systems remain vulnerable to potential future exploitation or accidental system degradation. The impact is more pronounced in systems with frequent module reloads or automated testing environments where the vulnerable code path is exercised repeatedly.
Mitigation Recommendations
To mitigate CVE-2024-50231, European organizations should take the following specific actions: 1) Identify and inventory Linux systems running kernel versions containing the vulnerable gts-helper code, focusing on those using the Industrial I/O subsystem and the iio-test-gts module. 2) Avoid unnecessary loading and unloading of the iio-test-gts module until a patch is available, especially in production environments. 3) Monitor kernel memory usage and system logs for signs of memory leaks or instability related to the IIO subsystem. 4) Engage with Linux kernel maintainers or vendors to obtain patches or backported fixes addressing the memory leak in iio_gts_build_avail_scale_table(). 5) For organizations building custom kernels, apply source code fixes that ensure proper freeing of per_time_gains[i] allocations within the affected function. 6) Implement automated testing and validation to detect memory leaks during kernel module operations in development and staging environments. 7) Maintain robust system monitoring and alerting to detect early signs of resource exhaustion that could indicate exploitation or impact from this vulnerability. These steps go beyond generic advice by focusing on the specific module and function involved, emphasizing proactive monitoring and patch management tailored to the Industrial I/O subsystem context.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy
CVE-2024-50231: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: iio: gts-helper: Fix memory leaks in iio_gts_build_avail_scale_table() modprobe iio-test-gts and rmmod it, then the following memory leak occurs: unreferenced object 0xffffff80c810be00 (size 64): comm "kunit_try_catch", pid 1654, jiffies 4294913981 hex dump (first 32 bytes): 02 00 00 00 08 00 00 00 20 00 00 00 40 00 00 00 ........ ...@... 80 00 00 00 00 02 00 00 00 04 00 00 00 08 00 00 ................ backtrace (crc a63d875e): [<0000000028c1b3c2>] kmemleak_alloc+0x34/0x40 [<000000001d6ecc87>] __kmalloc_noprof+0x2bc/0x3c0 [<00000000393795c1>] devm_iio_init_iio_gts+0x4b4/0x16f4 [<0000000071bb4b09>] 0xffffffdf052a62e0 [<000000000315bc18>] 0xffffffdf052a6488 [<00000000f9dc55b5>] kunit_try_run_case+0x13c/0x3ac [<00000000175a3fd4>] kunit_generic_run_threadfn_adapter+0x80/0xec [<00000000f505065d>] kthread+0x2e8/0x374 [<00000000bbfb0e5d>] ret_from_fork+0x10/0x20 unreferenced object 0xffffff80cbfe9e70 (size 16): comm "kunit_try_catch", pid 1658, jiffies 4294914015 hex dump (first 16 bytes): 10 00 00 00 40 00 00 00 80 00 00 00 00 00 00 00 ....@........... backtrace (crc 857f0cb4): [<0000000028c1b3c2>] kmemleak_alloc+0x34/0x40 [<000000001d6ecc87>] __kmalloc_noprof+0x2bc/0x3c0 [<00000000393795c1>] devm_iio_init_iio_gts+0x4b4/0x16f4 [<0000000071bb4b09>] 0xffffffdf052a62e0 [<000000007d089d45>] 0xffffffdf052a6864 [<00000000f9dc55b5>] kunit_try_run_case+0x13c/0x3ac [<00000000175a3fd4>] kunit_generic_run_threadfn_adapter+0x80/0xec [<00000000f505065d>] kthread+0x2e8/0x374 [<00000000bbfb0e5d>] ret_from_fork+0x10/0x20 ...... It includes 5*5 times "size 64" memory leaks, which correspond to 5 times test_init_iio_gain_scale() calls with gts_test_gains size 10 (10*size(int)) and gts_test_itimes size 5. It also includes 5*1 times "size 16" memory leak, which correspond to one time __test_init_iio_gain_scale() call with gts_test_gains_gain_low size 3 (3*size(int)) and gts_test_itimes size 5. The reason is that the per_time_gains[i] is not freed which is allocated in the "gts->num_itime" for loop in iio_gts_build_avail_scale_table().
AI-Powered Analysis
Technical Analysis
CVE-2024-50231 is a vulnerability identified in the Linux kernel specifically within the Industrial I/O (IIO) subsystem's gts-helper component. The flaw involves memory leaks in the function iio_gts_build_avail_scale_table(). The vulnerability manifests when the kernel module iio-test-gts is loaded (modprobe) and subsequently unloaded (rmmod), causing unreleased memory allocations. Detailed analysis shows multiple memory leaks of sizes 64 bytes and 16 bytes, corresponding to repeated calls to test_init_iio_gain_scale() and __test_init_iio_gain_scale() functions with various gain and itime parameters. The root cause is the failure to free the per_time_gains[i] allocations within the loop iterating over gts->num_itime in the affected function. This results in unreclaimed kernel memory, which can accumulate over time during repeated module load/unload cycles or test executions. The vulnerability is not associated with any known exploits in the wild and does not have an assigned CVSS score. The issue is primarily a resource management flaw rather than a direct code execution or privilege escalation vulnerability. However, persistent memory leaks in kernel space can degrade system stability and performance, potentially leading to denial of service (DoS) conditions on affected systems. The vulnerability affects specific Linux kernel versions identified by the commit hashes provided, and it is relevant to environments utilizing the IIO subsystem and the gts-helper module, often related to sensor data processing and testing frameworks within Linux. The vulnerability was published on November 9, 2024, and remains unpatched as per the provided data.
Potential Impact
For European organizations, the impact of CVE-2024-50231 is primarily related to system reliability and availability. Organizations running Linux-based systems that utilize the Industrial I/O subsystem, particularly those employing the gts-helper module for sensor data or testing purposes, may experience gradual memory exhaustion due to unreleased kernel memory. This can lead to degraded system performance, increased kernel memory pressure, and in worst cases, system crashes or forced reboots, resulting in denial of service. Critical infrastructure sectors such as manufacturing, automotive, telecommunications, and research institutions that rely on sensor data processing and Linux-based embedded systems could be affected. Although this vulnerability does not directly expose confidentiality or integrity risks, the availability impact can disrupt operations, especially in environments requiring high uptime and reliability. The lack of known exploits reduces immediate risk, but unpatched systems remain vulnerable to potential future exploitation or accidental system degradation. The impact is more pronounced in systems with frequent module reloads or automated testing environments where the vulnerable code path is exercised repeatedly.
Mitigation Recommendations
To mitigate CVE-2024-50231, European organizations should take the following specific actions: 1) Identify and inventory Linux systems running kernel versions containing the vulnerable gts-helper code, focusing on those using the Industrial I/O subsystem and the iio-test-gts module. 2) Avoid unnecessary loading and unloading of the iio-test-gts module until a patch is available, especially in production environments. 3) Monitor kernel memory usage and system logs for signs of memory leaks or instability related to the IIO subsystem. 4) Engage with Linux kernel maintainers or vendors to obtain patches or backported fixes addressing the memory leak in iio_gts_build_avail_scale_table(). 5) For organizations building custom kernels, apply source code fixes that ensure proper freeing of per_time_gains[i] allocations within the affected function. 6) Implement automated testing and validation to detect memory leaks during kernel module operations in development and staging environments. 7) Maintain robust system monitoring and alerting to detect early signs of resource exhaustion that could indicate exploitation or impact from this vulnerability. These steps go beyond generic advice by focusing on the specific module and function involved, emphasizing proactive monitoring and patch management tailored to the Industrial I/O subsystem context.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-10-21T19:36:19.975Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9824c4522896dcbdf5cb
Added to database: 5/21/2025, 9:08:52 AM
Last enriched: 6/28/2025, 1:11:50 PM
Last updated: 8/16/2025, 4:22:47 PM
Views: 12
Related Threats
CVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.