CVE-2024-41006: netrom: Fix a memory leak in nr_heartbeat_expiry()
In the Linux kernel, the following vulnerability has been resolved:
netrom: Fix a memory leak in nr_heartbeat_expiry()
syzbot reported a memory leak in nr_create() [0].
Commit 409db27e3a2e ("netrom: Fix use-after-free of a listening socket.")
added sock_hold() to the nr_heartbeat_expiry() function, where
a) a socket has a SOCK_DESTROY flag or
b) a listening socket has a SOCK_DEAD flag.
But in the case "a," when the SOCK_DESTROY flag is set, the file descriptor
has already been closed and the nr_release() function has been called.
So it makes no sense to hold the reference count because no one will
call another nr_destroy_socket() and put it as in the case "b."
nr_connect
nr_establish_data_link
nr_start_heartbeat
nr_release
switch (nr->state)
case NR_STATE_3
nr->state = NR_STATE_2
sock_set_flag(sk, SOCK_DESTROY);
nr_rx_frame
nr_process_rx_frame
switch (nr->state)
case NR_STATE_2
nr_state2_machine()
nr_disconnect()
nr_sk(sk)->state = NR_STATE_0
sock_set_flag(sk, SOCK_DEAD)
nr_heartbeat_expiry
switch (nr->state)
case NR_STATE_0
if (sock_flag(sk, SOCK_DESTROY) ||
(sk->sk_state == TCP_LISTEN
&& sock_flag(sk, SOCK_DEAD)))
sock_hold() // ( !!! )
nr_destroy_socket()
To fix the memory leak, let's call sock_hold() only for a listening socket.
Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with Syzkaller.
[0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16
Security readout for executives and security teams
Plain-English summary
CVE-2024-41006 is a Linux kernel memory leak in the NET/ROM networking code. The public record says it was found by Syzkaller and fixed in stable kernel commits. It is most relevant to systems that include or enable NET/ROM support, not typical application exposure.
Executive priority
Treat as routine kernel hygiene unless NET/ROM is enabled in production or affected appliances are exposed. Prioritize patching through normal maintenance windows, with faster action for embedded or industrial devices covered by vendor advisories.
Technical view
The flaw is in nr_heartbeat_expiry(). A prior fix added sock_hold() for destroyed sockets, but one path kept an unnecessary reference after nr_release(), causing leaked socket memory. The fix limits sock_hold() to the listening-socket case where a later put is expected.
Likely exposure
Exposure appears limited to Linux systems running affected kernel versions with NET/ROM support present or enabled. Downstream exposure may exist in distributions and appliances, as Debian LTS and Siemens advisories reference this CVE. The provided sources do not identify remote exploit prerequisites or default exposure.
Exploitation context
No CISA KEV listing is provided, and the source bundle contains no evidence of active exploitation. The issue was reported through Syzkaller-based testing, which supports reliability of the bug finding but not real-world exploitation status.
Researcher notes
The public data supports a memory leak caused by reference-count handling in the NET/ROM heartbeat expiry path. There is no CVSS, CWE, or exploitability detail in the bundle, so impact beyond resource leakage should not be assumed.
Mitigation direction
Check vendor kernel advisories for the affected Linux distribution or appliance.
Apply the relevant stable kernel update when available for your branch.
Disable or avoid loading NET/ROM support where it is not operationally required.
Track downstream advisories from Debian, Siemens, and other affected vendors.
Validation and detection
Inventory Linux kernel versions across servers, appliances, and embedded systems.
Check whether NET/ROM or related AX.25 networking support is enabled or loadable.
Confirm installed kernels include the referenced stable fix commits or vendor backports.
Review vendor advisories for product-specific affected and fixed versions.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2024-41006 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.