CVE-2024-41006 Overview
CVE-2024-41006 is a memory leak vulnerability in the Linux kernel's NET/ROM amateur radio networking subsystem. The flaw exists in the nr_heartbeat_expiry() function, where an improper reference count handling leads to unreleased socket memory when the SOCK_DESTROY flag is set. This vulnerability was discovered through Syzkaller fuzzing and reported by InfoTeCS on behalf of the Linux Verification Center.
Critical Impact
Local attackers with low privileges can trigger memory exhaustion through repeated exploitation, potentially causing system instability or denial of service on systems with NET/ROM protocol enabled.
Affected Products
- Linux Kernel (multiple stable versions)
- Linux Kernel 6.10-rc1 through 6.10-rc4
- Debian Linux (as noted in LTS advisory)
Discovery Timeline
- July 12, 2024 - CVE-2024-41006 published to NVD
- November 3, 2025 - Last updated in NVD database
Technical Details for CVE-2024-41006
Vulnerability Analysis
The vulnerability resides in the NET/ROM protocol implementation within the Linux kernel, specifically in the socket reference counting logic of nr_heartbeat_expiry(). The issue stems from a previous commit (409db27e3a2e) that attempted to fix a use-after-free condition in listening sockets but inadvertently introduced a memory leak scenario.
When a NET/ROM socket transitions through its state machine, specifically when moving from NR_STATE_3 to NR_STATE_2 during nr_release(), the SOCK_DESTROY flag is set. If the heartbeat timer expires while the socket is in NR_STATE_0 with the SOCK_DESTROY flag set, the code incorrectly calls sock_hold() to increment the reference count. However, since the file descriptor has already been closed and nr_release() has been invoked, no subsequent call to nr_destroy_socket() will occur to decrement this reference, resulting in a permanent memory leak.
Root Cause
The root cause is an overly broad condition in nr_heartbeat_expiry() that calls sock_hold() for both:
- Case A: Sockets with SOCK_DESTROY flag set
- Case B: Listening sockets with SOCK_DEAD flag set
For Case A, the sock_hold() call is incorrect because the socket cleanup path has already been initiated through nr_release(), and no code path exists to call sock_put() to balance the reference count. The fix restricts sock_hold() to only Case B (listening sockets), where proper reference counting is maintained.
Attack Vector
The attack requires local access to the system with low privileges. An attacker must be able to create and manipulate NET/ROM sockets through the kernel's networking interface. The exploitation flow follows this sequence:
- Establish a NET/ROM connection via nr_connect()
- Trigger the data link establishment through nr_establish_data_link()
- Start the heartbeat timer with nr_start_heartbeat()
- Close the socket to invoke nr_release(), setting SOCK_DESTROY
- Allow frame processing to transition the socket to NR_STATE_0
- Wait for heartbeat expiry, which leaks the socket memory
The vulnerability does not provide code execution capabilities but can be exploited repeatedly to exhaust kernel memory resources. Each leaked socket consumes kernel memory that is never reclaimed, eventually leading to system degradation or denial of service.
Detection Methods for CVE-2024-41006
Indicators of Compromise
- Gradual increase in kernel memory usage without corresponding user-space activity
- Accumulation of orphaned NET/ROM sockets visible in /proc/net/nr or via ss utility
- System instability or out-of-memory (OOM) killer activations on systems with NET/ROM enabled
Detection Strategies
- Monitor kernel memory allocation patterns using tools like slabtop for abnormal growth in socket-related slabs
- Implement kernel memory leak detection using kmemleak if available in development environments
- Deploy SentinelOne's Singularity platform to detect anomalous kernel behavior and memory consumption patterns
Monitoring Recommendations
- Track NET/ROM socket creation and destruction rates for imbalances indicating leaks
- Set up alerting for systems exhibiting sustained kernel memory growth
- Monitor for repeated NET/ROM connection attempts from untrusted local users
How to Mitigate CVE-2024-41006
Immediate Actions Required
- Update the Linux kernel to a patched version containing the fix
- If immediate patching is not possible, disable the NET/ROM kernel module (modprobe -r netrom) if not required
- Restrict local user access to systems where NET/ROM is essential
Patch Information
Multiple patches have been released across stable kernel branches to address this vulnerability. The fix modifies nr_heartbeat_expiry() to only call sock_hold() for listening sockets with SOCK_DEAD flag, excluding sockets that only have SOCK_DESTROY set. Key patch commits include:
- Kernel Git Commit 0b913024
- Kernel Git Commit 280cf11
- Kernel Git Commit 5391f9d
- Kernel Git Commit a02fd5d
Debian users should refer to the Debian LTS Announcement for distribution-specific guidance.
Workarounds
- Disable the NET/ROM protocol module if amateur radio networking is not required: modprobe -r netrom
- Blacklist the netrom module to prevent automatic loading by adding blacklist netrom to /etc/modprobe.d/blacklist.conf
- Implement resource limits and monitoring to detect and respond to memory exhaustion conditions
# Disable NET/ROM module (temporary)
modprobe -r netrom
# Permanently blacklist NET/ROM module
echo "blacklist netrom" >> /etc/modprobe.d/blacklist-netrom.conf
# Verify module is not loaded
lsmod | grep netrom
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
