CVE-2024-40997: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-40997 is a memory leak vulnerability discovered in the Linux kernel's AMD P-State driver, specifically in the CPU EPP (Energy Performance Preference) exit functionality. The vulnerability was identified on July 12, 2024, affecting Linux kernel versions up to 6.6.36 and from 6.7 up to 6.9.7. The issue occurs because the cpudata memory allocated by kzalloc() in amdpstateeppcpuinit() is not properly freed in the corresponding exit function (NVD).

The vulnerability is classified as CWE-401 (Missing Release of Memory after Effective Lifetime) with a CVSS v3.1 base score of 5.5 (Medium). The technical issue stems from a memory management flaw in the AMD P-State driver where memory allocated during CPU initialization is not properly deallocated during the exit process. The vulnerability requires local access and low privileges to exploit (NVD).

The vulnerability can lead to memory leaks in the Linux kernel when the AMD P-State driver's CPU EPP functionality is used. While the impact is limited to availability (no confidentiality or integrity impacts), it could potentially lead to system resource exhaustion over time (NVD).

The vulnerability has been patched in the Linux kernel through a fix that properly frees the cpudata memory in the amdpstateeppcpuexit function. The fix has been implemented in various Linux distributions, including Ubuntu 24.04 LTS (noble) with kernel version 6.8.0-44.44 and other distribution-specific kernel versions (Kernel Patch).