CVE-2024-56643: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: dccp: Fix memory leak in dccp_feat_change_recv If dccp_feat_push_confirm() fails after new value for SP feature was accepted without reconciliation ('entry == NULL' branch), memory allocated for that value with dccp_feat_clone_sp_val() is never freed. Here is the kmemleak stack for this: unreferenced object 0xffff88801d4ab488 (size 8): comm "syz-executor310", pid 1127, jiffies 4295085598 (age 41.666s) hex dump (first 8 bytes): 01 b4 4a 1d 80 88 ff ff ..J..... backtrace: [<00000000db7cabfe>] kmemdup+0x23/0x50 mm/util.c:128 [<0000000019b38405>] kmemdup include/linux/string.h:465 [inline] [<0000000019b38405>] dccp_feat_clone_sp_val net/dccp/feat.c:371 [inline] [<0000000019b38405>] dccp_feat_clone_sp_val net/dccp/feat.c:367 [inline] [<0000000019b38405>] dccp_feat_change_recv net/dccp/feat.c:1145 [inline] [<0000000019b38405>] dccp_feat_parse_options+0x1196/0x2180 net/dccp/feat.c:1416 [<00000000b1f6d94a>] dccp_parse_options+0xa2a/0x1260 net/dccp/options.c:125 [<0000000030d7b621>] dccp_rcv_state_process+0x197/0x13d0 net/dccp/input.c:650 [<000000001f74c72e>] dccp_v4_do_rcv+0xf9/0x1a0 net/dccp/ipv4.c:688 [<00000000a6c24128>] sk_backlog_rcv include/net/sock.h:1041 [inline] [<00000000a6c24128>] __release_sock+0x139/0x3b0 net/core/sock.c:2570 [<00000000cf1f3a53>] release_sock+0x54/0x1b0 net/core/sock.c:3111 [<000000008422fa23>] inet_wait_for_connect net/ipv4/af_inet.c:603 [inline] [<000000008422fa23>] __inet_stream_connect+0x5d0/0xf70 net/ipv4/af_inet.c:696 [<0000000015b6f64d>] inet_stream_connect+0x53/0xa0 net/ipv4/af_inet.c:735 [<0000000010122488>] __sys_connect_file+0x15c/0x1a0 net/socket.c:1865 [<00000000b4b70023>] __sys_connect+0x165/0x1a0 net/socket.c:1882 [<00000000f4cb3815>] __do_sys_connect net/socket.c:1892 [inline] [<00000000f4cb3815>] __se_sys_connect net/socket.c:1889 [inline] [<00000000f4cb3815>] __x64_sys_connect+0x6e/0xb0 net/socket.c:1889 [<00000000e7b1e839>] do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 [<0000000055e91434>] entry_SYSCALL_64_after_hwframe+0x67/0xd1 Clean up the allocated memory in case of dccp_feat_push_confirm() failure and bail out with an error reset code. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
AI Analysis
Technical Summary
CVE-2024-56643 is a vulnerability identified in the Linux kernel's implementation of the Datagram Congestion Control Protocol (DCCP). Specifically, the flaw is a memory leak occurring in the function dccp_feat_change_recv when handling certain feature negotiation scenarios. The issue arises when dccp_feat_push_confirm() fails after a new value for the SP (Service Profile) feature has been accepted but before reconciliation occurs (i.e., when the 'entry == NULL' branch is taken). In this failure case, memory allocated by dccp_feat_clone_sp_val() for the new SP feature value is not freed, resulting in a memory leak. This leak was detected through kernel memory leak detection tools such as kmemleak, with a detailed stack trace showing the allocation and failure path. The root cause is that the allocated memory is not cleaned up upon failure of the confirmation function, leading to unreferenced objects accumulating in kernel memory. The vulnerability is classified under CWE-401 (Improper Release of Memory Before Removing Last Reference) and has been fixed by ensuring proper cleanup of allocated memory in the failure path, returning an error reset code to prevent further processing. The vulnerability affects specific Linux kernel versions identified by commit hashes, and no known exploits are reported in the wild. The CVSS v3.1 base score is 3.3, indicating a low severity, with the vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, meaning it requires local access with low privileges and no user interaction, and impacts availability only (memory leak).
Potential Impact
For European organizations, the impact of CVE-2024-56643 is generally low but should not be dismissed. The vulnerability causes a memory leak in the Linux kernel's DCCP implementation, which could lead to gradual resource exhaustion on affected systems if exploited repeatedly or over time. This could degrade system performance or cause denial of service conditions on servers or network devices relying on DCCP. However, since DCCP is not widely used compared to TCP or UDP, the attack surface is limited. The requirement for local access and low privileges reduces the risk of remote exploitation. Nonetheless, organizations running Linux systems with DCCP enabled, especially in network infrastructure or specialized applications using DCCP, could experience stability issues or service interruptions if the vulnerability is triggered. This could affect availability of critical services, particularly in telecom, real-time media streaming, or other sectors using DCCP. Given the low CVSS score and absence of known exploits, the immediate risk is low, but the vulnerability could be leveraged as part of a larger attack chain or in insider threat scenarios.
Mitigation Recommendations
To mitigate CVE-2024-56643, European organizations should: 1) Apply the latest Linux kernel patches that address this memory leak as soon as they become available from their distribution vendors or upstream Linux kernel releases. 2) Audit and monitor systems that use DCCP, especially network-facing servers or specialized applications, to detect abnormal memory usage or leaks. 3) Disable DCCP protocol support if it is not required for operational purposes, reducing the attack surface. This can be done by blacklisting the dccp kernel module or disabling it via kernel configuration. 4) Implement strict access controls to limit local user privileges and prevent untrusted users from triggering the vulnerability. 5) Employ kernel memory leak detection tools like kmemleak in testing environments to proactively identify similar issues. 6) Maintain robust system monitoring and alerting to detect early signs of resource exhaustion or denial of service conditions potentially related to this vulnerability. These steps go beyond generic advice by focusing on protocol usage assessment, kernel module management, and proactive detection.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2024-56643: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: dccp: Fix memory leak in dccp_feat_change_recv If dccp_feat_push_confirm() fails after new value for SP feature was accepted without reconciliation ('entry == NULL' branch), memory allocated for that value with dccp_feat_clone_sp_val() is never freed. Here is the kmemleak stack for this: unreferenced object 0xffff88801d4ab488 (size 8): comm "syz-executor310", pid 1127, jiffies 4295085598 (age 41.666s) hex dump (first 8 bytes): 01 b4 4a 1d 80 88 ff ff ..J..... backtrace: [<00000000db7cabfe>] kmemdup+0x23/0x50 mm/util.c:128 [<0000000019b38405>] kmemdup include/linux/string.h:465 [inline] [<0000000019b38405>] dccp_feat_clone_sp_val net/dccp/feat.c:371 [inline] [<0000000019b38405>] dccp_feat_clone_sp_val net/dccp/feat.c:367 [inline] [<0000000019b38405>] dccp_feat_change_recv net/dccp/feat.c:1145 [inline] [<0000000019b38405>] dccp_feat_parse_options+0x1196/0x2180 net/dccp/feat.c:1416 [<00000000b1f6d94a>] dccp_parse_options+0xa2a/0x1260 net/dccp/options.c:125 [<0000000030d7b621>] dccp_rcv_state_process+0x197/0x13d0 net/dccp/input.c:650 [<000000001f74c72e>] dccp_v4_do_rcv+0xf9/0x1a0 net/dccp/ipv4.c:688 [<00000000a6c24128>] sk_backlog_rcv include/net/sock.h:1041 [inline] [<00000000a6c24128>] __release_sock+0x139/0x3b0 net/core/sock.c:2570 [<00000000cf1f3a53>] release_sock+0x54/0x1b0 net/core/sock.c:3111 [<000000008422fa23>] inet_wait_for_connect net/ipv4/af_inet.c:603 [inline] [<000000008422fa23>] __inet_stream_connect+0x5d0/0xf70 net/ipv4/af_inet.c:696 [<0000000015b6f64d>] inet_stream_connect+0x53/0xa0 net/ipv4/af_inet.c:735 [<0000000010122488>] __sys_connect_file+0x15c/0x1a0 net/socket.c:1865 [<00000000b4b70023>] __sys_connect+0x165/0x1a0 net/socket.c:1882 [<00000000f4cb3815>] __do_sys_connect net/socket.c:1892 [inline] [<00000000f4cb3815>] __se_sys_connect net/socket.c:1889 [inline] [<00000000f4cb3815>] __x64_sys_connect+0x6e/0xb0 net/socket.c:1889 [<00000000e7b1e839>] do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 [<0000000055e91434>] entry_SYSCALL_64_after_hwframe+0x67/0xd1 Clean up the allocated memory in case of dccp_feat_push_confirm() failure and bail out with an error reset code. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
AI-Powered Analysis
Technical Analysis
CVE-2024-56643 is a vulnerability identified in the Linux kernel's implementation of the Datagram Congestion Control Protocol (DCCP). Specifically, the flaw is a memory leak occurring in the function dccp_feat_change_recv when handling certain feature negotiation scenarios. The issue arises when dccp_feat_push_confirm() fails after a new value for the SP (Service Profile) feature has been accepted but before reconciliation occurs (i.e., when the 'entry == NULL' branch is taken). In this failure case, memory allocated by dccp_feat_clone_sp_val() for the new SP feature value is not freed, resulting in a memory leak. This leak was detected through kernel memory leak detection tools such as kmemleak, with a detailed stack trace showing the allocation and failure path. The root cause is that the allocated memory is not cleaned up upon failure of the confirmation function, leading to unreferenced objects accumulating in kernel memory. The vulnerability is classified under CWE-401 (Improper Release of Memory Before Removing Last Reference) and has been fixed by ensuring proper cleanup of allocated memory in the failure path, returning an error reset code to prevent further processing. The vulnerability affects specific Linux kernel versions identified by commit hashes, and no known exploits are reported in the wild. The CVSS v3.1 base score is 3.3, indicating a low severity, with the vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, meaning it requires local access with low privileges and no user interaction, and impacts availability only (memory leak).
Potential Impact
For European organizations, the impact of CVE-2024-56643 is generally low but should not be dismissed. The vulnerability causes a memory leak in the Linux kernel's DCCP implementation, which could lead to gradual resource exhaustion on affected systems if exploited repeatedly or over time. This could degrade system performance or cause denial of service conditions on servers or network devices relying on DCCP. However, since DCCP is not widely used compared to TCP or UDP, the attack surface is limited. The requirement for local access and low privileges reduces the risk of remote exploitation. Nonetheless, organizations running Linux systems with DCCP enabled, especially in network infrastructure or specialized applications using DCCP, could experience stability issues or service interruptions if the vulnerability is triggered. This could affect availability of critical services, particularly in telecom, real-time media streaming, or other sectors using DCCP. Given the low CVSS score and absence of known exploits, the immediate risk is low, but the vulnerability could be leveraged as part of a larger attack chain or in insider threat scenarios.
Mitigation Recommendations
To mitigate CVE-2024-56643, European organizations should: 1) Apply the latest Linux kernel patches that address this memory leak as soon as they become available from their distribution vendors or upstream Linux kernel releases. 2) Audit and monitor systems that use DCCP, especially network-facing servers or specialized applications, to detect abnormal memory usage or leaks. 3) Disable DCCP protocol support if it is not required for operational purposes, reducing the attack surface. This can be done by blacklisting the dccp kernel module or disabling it via kernel configuration. 4) Implement strict access controls to limit local user privileges and prevent untrusted users from triggering the vulnerability. 5) Employ kernel memory leak detection tools like kmemleak in testing environments to proactively identify similar issues. 6) Maintain robust system monitoring and alerting to detect early signs of resource exhaustion or denial of service conditions potentially related to this vulnerability. These steps go beyond generic advice by focusing on protocol usage assessment, kernel module management, and proactive detection.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-27T15:00:39.840Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9822c4522896dcbde44d
Added to database: 5/21/2025, 9:08:50 AM
Last enriched: 6/28/2025, 6:27:26 AM
Last updated: 7/31/2025, 8:20:31 AM
Views: 10
Related Threats
CVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.