DEBIAN-CVE-2024-40910

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/DEBIAN-CVE-2024-40910

Import Source

https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2024-40910.json

JSON Data

https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2024-40910

Upstream

CVE-2024-40910

Published

2024-07-12T13:15:14Z

Modified

2025-09-19T07:33:59.592322Z

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved: ax25: Fix refcount imbalance on inbound connections When releasing a socket in ax25release(), we call netdevput() to decrease the refcount on the associated ax.25 device. However, the execution path for accepting an incoming connection never calls netdevhold(). This imbalance leads to refcount errors, and ultimately to kernel crashes. A typical call trace for the above situation will start with one of the following errors: refcountt: decrement hit 0; leaking memory. refcountt: underflow; use-after-free. And will then have a trace like: Call Trace: <TASK> ? showregs+0x64/0x70 ? _warn+0x83/0x120 ? refcountwarnsaturate+0xb2/0x100 ? reportbug+0x158/0x190 ? prbreadvalid+0x20/0x30 ? handlebug+0x3e/0x70 ? excinvalidop+0x1c/0x70 ? asmexcinvalidop+0x1f/0x30 ? refcountwarnsaturate+0xb2/0x100 ? refcountwarnsaturate+0xb2/0x100 ax25release+0x2ad/0x360 _sockrelease+0x35/0xa0 sockclose+0x19/0x20 [...] On reboot (or any attempt to remove the interface), the kernel gets stuck in an infinite loop: unregisternetdevice: waiting for ax0 to become free. Usage count = 0 This patch corrects these issues by ensuring that we call netdevhold() and ax25devhold() for new connections in ax25accept(). This makes the logic leading to ax25accept() match the logic for ax25bind(): in both cases we increment the refcount, which is ultimately decremented in ax25release().

References

https://security-tracker.debian.org/tracker/CVE-2024-40910

Affected packages

Debian:12 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.1.99-1

Affected versions

6.*

6.1.27-1

6.1.37-1

6.1.38-1

6.1.38-2~bpo11+1

6.1.38-2

6.1.38-3

6.1.38-4~bpo11+1

6.1.38-4

6.1.52-1

6.1.55-1~bpo11+1

6.1.55-1

6.1.64-1

6.1.66-1

6.1.67-1

6.1.69-1~bpo11+1

6.1.69-1

6.1.76-1~bpo11+1

6.1.76-1

6.1.82-1

6.1.85-1

6.1.90-1~bpo11+1

6.1.90-1

6.1.94-1~bpo11+1

6.1.94-1

6.1.98-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.9.7-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.9.7-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:11 / linux-6.1

Package

Name: linux-6.1
Purl: pkg:deb/debian/linux-6.1?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.1.119-1~deb11u1

Affected versions

6.*

6.1.106-3~deb11u1

6.1.106-3~deb11u2

6.1.106-3~deb11u3

6.1.112-1~deb11u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}