CVE-2024-41002: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-41002 affects the Linux kernel's crypto subsystem, specifically in the Hisilicon/SEC driver. The vulnerability was discovered and disclosed on July 12, 2024, and involves a memory leak in the SEC resource release functionality. The issue affects multiple versions of the Linux kernel up to versions 5.15.162, 6.1.96, 6.6.36, and 6.9.7 (NVD).

The vulnerability stems from incomplete resource cleanup in the Hisilicon/SEC crypto driver. The AIV (Authentication Initialization Vector) is one of the SEC resources that wasn't being properly released during resource cleanup operations. When releasing resources, the AIV resources need to be released simultaneously with other resources. The missing AIV resource release in the sec resource release function leads to memory leakage (Kernel Patch). The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability results in memory leakage in the Linux kernel's crypto subsystem. While there is no direct impact on confidentiality or integrity, the memory leak can affect system availability over time as memory resources are not properly freed (NVD).

The vulnerability has been fixed in multiple Linux kernel versions. Ubuntu has released patches for various kernel versions including 6.8.0-44.44 for 24.04 LTS and 5.15.0-121.131 for 22.04 LTS. Debian has also addressed this in version 6.1.119-1~deb11u1 for Debian 11 (Ubuntu, Debian).