LiveActive security incident?Get immediate response
CVE Record

CVE-2024-41006: netrom: Fix a memory leak in nr_heartbeat_expiry()

In the Linux kernel, the following vulnerability has been resolved: netrom: Fix a memory leak in nr_heartbeat_expiry() syzbot reported a memory leak in nr_create() [0]. Commit 409db27e3a2e ("netrom: Fix use-after-free of a listening socket.") added sock_hold() to the nr_heartbeat_expiry() function, where a) a socket has a SOCK_DESTROY flag or b) a listening socket has a SOCK_DEAD flag. But in the case "a," when the SOCK_DESTROY flag is set, the file descriptor has already been closed and the nr_release() function has been called. So it makes no sense to hold the reference count because no one will call another nr_destroy_socket() and put it as in the case "b." nr_connect nr_establish_data_link nr_start_heartbeat nr_release switch (nr->state) case NR_STATE_3 nr->state = NR_STATE_2 sock_set_flag(sk, SOCK_DESTROY); nr_rx_frame nr_process_rx_frame switch (nr->state) case NR_STATE_2 nr_state2_machine() nr_disconnect() nr_sk(sk)->state = NR_STATE_0 sock_set_flag(sk, SOCK_DEAD) nr_heartbeat_expiry switch (nr->state) case NR_STATE_0 if (sock_flag(sk, SOCK_DESTROY) || (sk->sk_state == TCP_LISTEN && sock_flag(sk, SOCK_DEAD))) sock_hold() // ( !!! ) nr_destroy_socket() To fix the memory leak, let's call sock_hold() only for a listening socket. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with Syzkaller. [0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysislow

Security readout for executives and security teams

Plain-English summary

CVE-2024-41006 is a Linux kernel memory leak in the NET/ROM networking code. The public record says it was found by Syzkaller and fixed in stable kernel commits. It is most relevant to systems that include or enable NET/ROM support, not typical application exposure.

Executive priority

Treat as routine kernel hygiene unless NET/ROM is enabled in production or affected appliances are exposed. Prioritize patching through normal maintenance windows, with faster action for embedded or industrial devices covered by vendor advisories.

Technical view

The flaw is in nr_heartbeat_expiry(). A prior fix added sock_hold() for destroyed sockets, but one path kept an unnecessary reference after nr_release(), causing leaked socket memory. The fix limits sock_hold() to the listening-socket case where a later put is expected.

Likely exposure

Exposure appears limited to Linux systems running affected kernel versions with NET/ROM support present or enabled. Downstream exposure may exist in distributions and appliances, as Debian LTS and Siemens advisories reference this CVE. The provided sources do not identify remote exploit prerequisites or default exposure.

Exploitation context

No CISA KEV listing is provided, and the source bundle contains no evidence of active exploitation. The issue was reported through Syzkaller-based testing, which supports reliability of the bug finding but not real-world exploitation status.

Researcher notes

The public data supports a memory leak caused by reference-count handling in the NET/ROM heartbeat expiry path. There is no CVSS, CWE, or exploitability detail in the bundle, so impact beyond resource leakage should not be assumed.

Mitigation direction

  • Check vendor kernel advisories for the affected Linux distribution or appliance.
  • Apply the relevant stable kernel update when available for your branch.
  • Disable or avoid loading NET/ROM support where it is not operationally required.
  • Track downstream advisories from Debian, Siemens, and other affected vendors.

Validation and detection

  • Inventory Linux kernel versions across servers, appliances, and embedded systems.
  • Check whether NET/ROM or related AX.25 networking support is enabled or loadable.
  • Confirm installed kernels include the referenced stable fix commits or vendor backports.
  • Review vendor advisories for product-specific affected and fixed versions.
Prepared
Confidence
medium
Sources
12

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2024-41006 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
3ADP providers
13Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
CISA-ADPCISA ADP Vulnrichment
other:ssvc
siemens-SADPADP container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxa31caf5779ace8fa98b0d454133808e082ee7a1b, fe9b9e621cebe6b7e83f7e954c70f8bb430520e5, 7de16d75b20ab13b75a7291f449a1b00090edfea, d2d3ab1b1de3302de2c85769121fd4f890e47ceb, 51e394c6f81adbfe7c34d15f58b3d4d44f144acf, 409db27e3a2eb5e8ef7226ca33be33361b3ed1c9, 409db27e3a2eb5e8ef7226ca33be33361b3ed1c9, 409db27e3a2eb5e8ef7226ca33be33361b3ed1c9, e666990abb2e42dd4ba979b4706280a3664cfae7, 4.19.272, 5.4.231, 5.10.166, 5.15.91, 6.1.9, 4.14.305unaffected
LinuxLinux6.2, 0, 4.19.317, 5.4.279, 5.10.221, 5.15.162, 6.1.96, 6.6.36, 6.9.7, 6.10affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.