CVE-2024-38602 in Linux
Summary
by MITRE • 06/19/2024
In the Linux kernel, the following vulnerability has been resolved:
ax25: Fix reference count leak issues of ax25_dev
The ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference count leak issue of the object "ax25_dev".
Memory leak issue in ax25_addr_ax25dev():
The reference count of the object "ax25_dev" can be increased multiple times in ax25_addr_ax25dev(). This will cause a memory leak.
Memory leak issues in ax25_dev_device_down():
The reference count of ax25_dev is set to 1 in ax25_dev_device_up() and then increase the reference count when ax25_dev is added to ax25_dev_list. As a result, the reference count of ax25_dev is 2. But when the device is shutting down. The ax25_dev_device_down() drops the reference count once or twice depending on if we goto unlock_put or not, which will cause memory leak.
As for the issue of ax25_addr_ax25dev(), it is impossible for one pointer to be on a list twice. So add a break in ax25_addr_ax25dev(). As for the issue of ax25_dev_device_down(), increase the reference count of ax25_dev once in ax25_dev_device_up() and decrease the reference count of ax25_dev after it is removed from the ax25_dev_list.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 10/05/2025
The vulnerability identified as CVE-2024-38602 affects the Linux kernel's Amateur Radio AX.25 protocol implementation, specifically targeting reference count management within the ax25_dev object structure. This issue resides in the kernel's networking subsystem and represents a classic memory management flaw that can lead to resource exhaustion and system instability. The AX.25 protocol is used for amateur radio packet communication and operates at the network layer, making this vulnerability particularly concerning for systems that rely on radio communication infrastructure or embedded networking devices.
The technical flaw manifests in two distinct code paths within the AX.25 subsystem where reference counting mechanisms fail to properly maintain object lifecycle management. In the ax25_addr_ax25dev() function, multiple increment operations on the ax25_dev reference count can occur without corresponding decrement operations, creating a situation where objects remain allocated in memory even when they should be freed. The ax25_dev_device_down() function presents a more complex scenario where the reference count is initialized to one during device up operations and then incremented again when the device is added to the ax25_dev_list, resulting in a reference count of two. During device shutdown, the cleanup logic inconsistently reduces this count, leading to memory leaks that persist until the system reboots or the objects are eventually garbage collected.
This vulnerability directly maps to CWE-401: Improper Release of Memory Before Removing Last Reference, which is categorized under the broader weakness of memory management errors in kernel space. The operational impact extends beyond simple memory consumption issues as it can lead to progressive resource exhaustion, potentially causing denial of service conditions where the system becomes unresponsive to new network connections or fails to properly handle existing ones. The memory leak issues are particularly dangerous in embedded systems or network appliances that operate with limited memory resources, where such leaks can accumulate over time and eventually compromise system stability. From an attacker perspective, this vulnerability could be leveraged to perform resource exhaustion attacks against systems running the affected kernel versions.
The mitigation strategy involves implementing proper reference count management in both affected functions. For ax25_addr_ax25dev(), the fix requires adding a break statement to prevent multiple increments of the same pointer reference, ensuring that each object reference is properly tracked. For ax25_dev_device_down(), the solution involves maintaining consistent reference count operations by ensuring that the ax25_dev object is incremented exactly once during device up operations and decremented exactly once after removal from the ax25_dev_list. This approach aligns with the ATT&CK framework's defensive techniques for memory management and kernel security, specifically targeting the persistence and privilege escalation vectors that could arise from improper reference counting. System administrators should prioritize updating to kernel versions containing these fixes, particularly in environments where amateur radio communication systems or network infrastructure relies on AX.25 protocol support, as the vulnerability represents a medium to high severity risk that could impact operational continuity and system availability.