CVE-2024-38554: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-38554 is a reference count leak vulnerability discovered in the Linux kernel's AX.25 networking subsystem. The issue affects Linux kernel versions from 5.17 up to (excluding) 6.1.93, 6.2 up to (excluding) 6.6.33, 6.7 up to (excluding) 6.8.12, and 6.9 up to (excluding) 6.9.3. The vulnerability was disclosed on June 19, 2024, and has been assigned a CVSS v3.1 base score of 5.5 (Medium) (NVD).

The vulnerability exists in the ax25devdevicedown() function within the Linux kernel's AX.25 networking code. When an AX.25 device is shutting down, the function inconsistently handles the reference count of the netdevice object, dropping it either once or zero times depending on whether the code path reaches the unlockput label. This inconsistency leads to a memory leak. The issue stems from improper reference counting after the dev->ax25ptr is set to null (Kernel Patch).

The vulnerability results in a memory leak in the Linux kernel when shutting down AX.25 network devices. While this does not directly lead to code execution or privilege escalation, it can cause system resource depletion over time, potentially affecting system stability and performance (NVD).

The vulnerability has been fixed in the Linux kernel through a patch that corrects the reference counting behavior in ax25devdevicedown(). The fix involves properly decreasing the reference count of netdevice after dev->ax25_ptr is set to null. Users should update to kernel versions 6.1.93, 6.6.33, 6.8.12, 6.9.3 or later, depending on their kernel series (Kernel Patch).