{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-40910", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-07-12T12:17:45.580Z", "datePublished": "2024-07-12T12:20:49.085Z", "dateUpdated": "2024-09-11T17:34:37.278Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-07-15T06:51:17.202Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: Fix refcount imbalance on inbound connections\n\nWhen releasing a socket in ax25_release(), we call netdev_put() to\ndecrease the refcount on the associated ax.25 device. However, the\nexecution path for accepting an incoming connection never calls\nnetdev_hold(). This imbalance leads to refcount errors, and ultimately\nto kernel crashes.\n\nA typical call trace for the above situation will start with one of the\nfollowing errors:\n\n refcount_t: decrement hit 0; leaking memory.\n refcount_t: underflow; use-after-free.\n\nAnd will then have a trace like:\n\n Call Trace:\n <TASK>\n ? show_regs+0x64/0x70\n ? __warn+0x83/0x120\n ? refcount_warn_saturate+0xb2/0x100\n ? report_bug+0x158/0x190\n ? prb_read_valid+0x20/0x30\n ? handle_bug+0x3e/0x70\n ? exc_invalid_op+0x1c/0x70\n ? asm_exc_invalid_op+0x1f/0x30\n ? refcount_warn_saturate+0xb2/0x100\n ? refcount_warn_saturate+0xb2/0x100\n ax25_release+0x2ad/0x360\n __sock_release+0x35/0xa0\n sock_close+0x19/0x20\n [...]\n\nOn reboot (or any attempt to remove the interface), the kernel gets\nstuck in an infinite loop:\n\n unregister_netdevice: waiting for ax0 to become free. Usage count = 0\n\nThis patch corrects these issues by ensuring that we call netdev_hold()\nand ax25_dev_hold() for new connections in ax25_accept(). This makes the\nlogic leading to ax25_accept() match the logic for ax25_bind(): in both\ncases we increment the refcount, which is ultimately decremented in\nax25_release()."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ax25/af_ax25.c"], "versions": [{"version": "9fd75b66b8f6", "lessThan": "f4df9d6c8d4e", "status": "affected", "versionType": "git"}, {"version": "9fd75b66b8f6", "lessThan": "52100fd74ad0", "status": "affected", "versionType": "git"}, {"version": "9fd75b66b8f6", "lessThan": "a723a6c8d483", "status": "affected", "versionType": "git"}, {"version": "9fd75b66b8f6", "lessThan": "3c34fb0bd4a4", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ax25/af_ax25.c"], "versions": [{"version": "5.18", "status": "affected"}, {"version": "0", "lessThan": "5.18", "status": "unaffected", "versionType": "custom"}, {"version": "6.1.95", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.6.35", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.9.6", "lessThanOrEqual": "6.9.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.10", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/f4df9d6c8d4e4c818252b0419c2165d66eabd4eb"}, {"url": "https://git.kernel.org/stable/c/52100fd74ad07b53a4666feafff1cd11436362d3"}, {"url": "https://git.kernel.org/stable/c/a723a6c8d4831cc8e2c7b0c9f3f0c010d4671964"}, {"url": "https://git.kernel.org/stable/c/3c34fb0bd4a4237592c5ecb5b2e2531900c55774"}], "title": "ax25: Fix refcount imbalance on inbound connections", "x_generator": {"engine": "bippy-c9c4e1df01b2"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:39:55.370Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/f4df9d6c8d4e4c818252b0419c2165d66eabd4eb", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/52100fd74ad07b53a4666feafff1cd11436362d3", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a723a6c8d4831cc8e2c7b0c9f3f0c010d4671964", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/3c34fb0bd4a4237592c5ecb5b2e2531900c55774", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-40910", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T17:06:05.854978Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:34:37.278Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-40910", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-07-12T12:17:45.580Z", "datePublished": "2024-07-12T12:20:49.085Z", "dateUpdated": "2024-08-02T04:39:55.370Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-07-15T06:51:17.202Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: Fix refcount imbalance on inbound connections\n\nWhen releasing a socket in ax25_release(), we call netdev_put() to\ndecrease the refcount on the associated ax.25 device. However, the\nexecution path for accepting an incoming connection never calls\nnetdev_hold(). This imbalance leads to refcount errors, and ultimately\nto kernel crashes.\n\nA typical call trace for the above situation will start with one of the\nfollowing errors:\n\n refcount_t: decrement hit 0; leaking memory.\n refcount_t: underflow; use-after-free.\n\nAnd will then have a trace like:\n\n Call Trace:\n <TASK>\n ? show_regs+0x64/0x70\n ? __warn+0x83/0x120\n ? refcount_warn_saturate+0xb2/0x100\n ? report_bug+0x158/0x190\n ? prb_read_valid+0x20/0x30\n ? handle_bug+0x3e/0x70\n ? exc_invalid_op+0x1c/0x70\n ? asm_exc_invalid_op+0x1f/0x30\n ? refcount_warn_saturate+0xb2/0x100\n ? refcount_warn_saturate+0xb2/0x100\n ax25_release+0x2ad/0x360\n __sock_release+0x35/0xa0\n sock_close+0x19/0x20\n [...]\n\nOn reboot (or any attempt to remove the interface), the kernel gets\nstuck in an infinite loop:\n\n unregister_netdevice: waiting for ax0 to become free. Usage count = 0\n\nThis patch corrects these issues by ensuring that we call netdev_hold()\nand ax25_dev_hold() for new connections in ax25_accept(). This makes the\nlogic leading to ax25_accept() match the logic for ax25_bind(): in both\ncases we increment the refcount, which is ultimately decremented in\nax25_release()."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ax25/af_ax25.c"], "versions": [{"version": "9fd75b66b8f6", "lessThan": "f4df9d6c8d4e", "status": "affected", "versionType": "git"}, {"version": "9fd75b66b8f6", "lessThan": "52100fd74ad0", "status": "affected", "versionType": "git"}, {"version": "9fd75b66b8f6", "lessThan": "a723a6c8d483", "status": "affected", "versionType": "git"}, {"version": "9fd75b66b8f6", "lessThan": "3c34fb0bd4a4", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/ax25/af_ax25.c"], "versions": [{"version": "5.18", "status": "affected"}, {"version": "0", "lessThan": "5.18", "status": "unaffected", "versionType": "custom"}, {"version": "6.1.95", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.6.35", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.9.6", "lessThanOrEqual": "6.9.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.10", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/f4df9d6c8d4e4c818252b0419c2165d66eabd4eb"}, {"url": "https://git.kernel.org/stable/c/52100fd74ad07b53a4666feafff1cd11436362d3"}, {"url": "https://git.kernel.org/stable/c/a723a6c8d4831cc8e2c7b0c9f3f0c010d4671964"}, {"url": "https://git.kernel.org/stable/c/3c34fb0bd4a4237592c5ecb5b2e2531900c55774"}], "title": "ax25: Fix refcount imbalance on inbound connections", "x_generator": {"engine": "bippy-c9c4e1df01b2"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-40910", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T17:06:05.854978Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2024-09-11T12:42:24.847Z"}, "title": "CISA ADP Vulnrichment"}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "EFECBC56-DE9A-457A-AE19-CA526A30C054", "versionEndExcluding": "6.1.95", "versionStartIncluding": "5.18", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "6F019D15-84C0-416B-8C57-7F51B68992F0", "versionEndExcluding": "6.6.35", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "0ABBBA1D-F79D-4BDB-AA41-D1EDCC4A6975", "versionEndExcluding": "6.9.6", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc1:*:*:*:*:*:*", "matchCriteriaId": "2EBB4392-5FA6-4DA9-9772-8F9C750109FA", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc2:*:*:*:*:*:*", "matchCriteriaId": "331C2F14-12C7-45D5-893D-8C52EE38EA10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: Fix refcount imbalance on inbound connections\n\nWhen releasing a socket in ax25_release(), we call netdev_put() to\ndecrease the refcount on the associated ax.25 device. However, the\nexecution path for accepting an incoming connection never calls\nnetdev_hold(). This imbalance leads to refcount errors, and ultimately\nto kernel crashes.\n\nA typical call trace for the above situation will start with one of the\nfollowing errors:\n\n refcount_t: decrement hit 0; leaking memory.\n refcount_t: underflow; use-after-free.\n\nAnd will then have a trace like:\n\n Call Trace:\n <TASK>\n ? show_regs+0x64/0x70\n ? __warn+0x83/0x120\n ? refcount_warn_saturate+0xb2/0x100\n ? report_bug+0x158/0x190\n ? prb_read_valid+0x20/0x30\n ? handle_bug+0x3e/0x70\n ? exc_invalid_op+0x1c/0x70\n ? asm_exc_invalid_op+0x1f/0x30\n ? refcount_warn_saturate+0xb2/0x100\n ? refcount_warn_saturate+0xb2/0x100\n ax25_release+0x2ad/0x360\n __sock_release+0x35/0xa0\n sock_close+0x19/0x20\n [...]\n\nOn reboot (or any attempt to remove the interface), the kernel gets\nstuck in an infinite loop:\n\n unregister_netdevice: waiting for ax0 to become free. Usage count = 0\n\nThis patch corrects these issues by ensuring that we call netdev_hold()\nand ax25_dev_hold() for new connections in ax25_accept(). This makes the\nlogic leading to ax25_accept() match the logic for ax25_bind(): in both\ncases we increment the refcount, which is ultimately decremented in\nax25_release()."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: ax25: corrige el desequilibrio de recuento en conexiones entrantes Al liberar un socket en ax25_release(), llamamos a netdev_put() para disminuir el recuento en el dispositivo ax.25 asociado. Sin embargo, la ruta de ejecuci\u00f3n para aceptar una conexi\u00f3n entrante nunca llama a netdev_hold(). Este desequilibrio conduce a errores de recuento y, en \u00faltima instancia, a fallos del kernel. Un seguimiento de llamada t\u00edpico para la situaci\u00f3n anterior comenzar\u00e1 con uno de los siguientes errores: refcount_t: decrement hit 0; p\u00e9rdida de memoria. refcount_t: desbordamiento insuficiente; use-after-free. Y luego tendr\u00e1 un seguimiento como: Call Trace: ? show_regs+0x64/0x70? __advertir+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100? report_bug+0x158/0x190? prb_read_valid+0x20/0x30? handle_bug+0x3e/0x70? exc_invalid_op+0x1c/0x70? asm_exc_invalid_op+0x1f/0x30? refcount_warn_saturate+0xb2/0x100? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...] Al reiniciar (o cualquier intento de eliminar la interfaz), el kernel se atasca en un bucle infinito: unregister_netdevice: esperando ax0 para quedar libre. Recuento de uso = 0 Este parche corrige estos problemas asegurando que llamemos a netdev_hold() y ax25_dev_hold() para nuevas conexiones en ax25_accept(). Esto hace que la l\u00f3gica que conduce a ax25_accept() coincida con la l\u00f3gica de ax25_bind(): en ambos casos incrementamos el refcount, que finalmente disminuye en ax25_release()."}], "id": "CVE-2024-40910", "lastModified": "2024-08-29T13:55:38.203", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-07-12T13:15:14.213", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3c34fb0bd4a4237592c5ecb5b2e2531900c55774"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/52100fd74ad07b53a4666feafff1cd11436362d3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a723a6c8d4831cc8e2c7b0c9f3f0c010d4671964"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f4df9d6c8d4e4c818252b0419c2165d66eabd4eb"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: ax25: Fix refcount imbalance on inbound connections", "id": "2297494", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2297494"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-911", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nax25: Fix refcount imbalance on inbound connections\nWhen releasing a socket in ax25_release(), we call netdev_put() to\ndecrease the refcount on the associated ax.25 device. However, the\nexecution path for accepting an incoming connection never calls\nnetdev_hold(). This imbalance leads to refcount errors, and ultimately\nto kernel crashes.\nA typical call trace for the above situation will start with one of the\nfollowing errors:\nrefcount_t: decrement hit 0; leaking memory.\nrefcount_t: underflow; use-after-free.\nAnd will then have a trace like:\nCall Trace:\n<TASK>\n? show_regs+0x64/0x70\n? __warn+0x83/0x120\n? refcount_warn_saturate+0xb2/0x100\n? report_bug+0x158/0x190\n? prb_read_valid+0x20/0x30\n? handle_bug+0x3e/0x70\n? exc_invalid_op+0x1c/0x70\n? asm_exc_invalid_op+0x1f/0x30\n? refcount_warn_saturate+0xb2/0x100\n? refcount_warn_saturate+0xb2/0x100\nax25_release+0x2ad/0x360\n__sock_release+0x35/0xa0\nsock_close+0x19/0x20\n[...]\nOn reboot (or any attempt to remove the interface), the kernel gets\nstuck in an infinite loop:\nunregister_netdevice: waiting for ax0 to become free. Usage count = 0\nThis patch corrects these issues by ensuring that we call netdev_hold()\nand ax25_dev_hold() for new connections in ax25_accept(). This makes the\nlogic leading to ax25_accept() match the logic for ax25_bind(): in both\ncases we increment the refcount, which is ultimately decremented in\nax25_release().", "A vulnerability was found in the Linux kernel, related to the ax25 protocol. This issue can cause a reference count imbalance during the handling of inbound connections. The ax25_release() function incorrectly decrements the reference count of the associated ax.25 device using netdev_put() without a corresponding netdev_hold() in the connection acceptance path. This imbalance can lead to kernel crashes and memory errors, indicated by messages such as refcount_t: decrement hit 0; leaking memory and refcount_t: underflow; use-after-free."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-40910", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-07-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-40910\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-40910\nhttps://lore.kernel.org/linux-cve-announce/2024071210-CVE-2024-40910-d7d9@gregkh/T"], "statement": "Red Hat Enterprise Linux is not vulnerable to this CVE, as it does not affect the versions or configurations of the Linux kernel used in its distributions.", "threat_severity": "Moderate", "upstream_fix": "kernel 6.1.95, kernel 6.6.35, kernel 6.9.6, kernel 6.10-rc3"}