CVE-2024-40985 in Linuxinfo

Summary

by MITRE • 07/12/2024

In the Linux kernel, the following vulnerability has been resolved:

net/tcp_ao: Don't leak ao_info on error-path

It seems I introduced it together with TCP_AO_CMDF_AO_REQUIRED, on version 5 [1] of TCP-AO patches. Quite frustrative that having all these
selftests that I've written, running kmemtest & kcov was always in todo.

[1]: https://lore.kernel.org/netdev/[email protected]/

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 10/07/2025

The vulnerability identified as CVE-2024-40985 represents a memory leak issue within the Linux kernel's TCP-AO (Authenticated Offload) implementation. This flaw specifically affects the tcp_ao module and occurs during error handling paths when the kernel fails to properly release memory allocated for ao_info structures. The vulnerability was introduced in version 5 of the TCP-AO patches, which were developed by Dima on behalf of Arista Networks, and represents a regression in memory management practices that should have been caught during testing phases.

The technical nature of this vulnerability falls under CWE-401: "Improper Release of Memory Before Removing Last Reference" and demonstrates a classic memory leak pattern where allocated resources are not properly freed when error conditions occur. The issue manifests in the TCP-AO subsystem when processing authentication options for TCP connections, specifically in the ao_info data structure that manages authentication information. During error paths, the kernel fails to execute the proper cleanup routines that would normally release these memory allocations, leading to gradual memory consumption over time.

From an operational perspective, this vulnerability poses significant risks to systems running Linux kernels with TCP-AO support enabled. The memory leak, while seemingly small per occurrence, can accumulate over time and potentially lead to system performance degradation, memory exhaustion, or even system instability under high network load conditions. The vulnerability is particularly concerning because it affects the core networking stack and can impact any system that utilizes TCP-AO authentication features, which are commonly deployed in enterprise environments and network infrastructure devices. The fact that this issue was not caught by existing selftests, kmemtest, or kcov tools indicates a gap in testing coverage that may have allowed similar issues to persist undetected.

The mitigation strategy for CVE-2024-40985 involves applying the kernel patch that properly implements memory cleanup on error paths within the tcp_ao module. System administrators should prioritize updating their Linux kernel versions to include the fix, particularly in environments where TCP-AO is actively used. The fix requires ensuring that ao_info structures are properly freed regardless of whether the operation completes successfully or encounters an error condition. Organizations should also conduct thorough testing of kernel updates in staging environments before deployment to ensure no regressions are introduced. This vulnerability aligns with ATT&CK technique T1070.004: "File and Directory Permissions Modification" in the context of memory management, as it represents an improper handling of allocated resources that could be exploited to consume system resources over time, potentially leading to denial of service conditions. The issue demonstrates the critical importance of comprehensive testing, particularly for memory management functions, and highlights the need for robust error path validation in kernel code development processes.

Responsible

Linux

Reservation

07/12/2024

Disclosure

07/12/2024

Moderation

accepted

CPE

ready

EPSS

0.00235

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!