CVE-2024-47733: 
Linux Debian vulnerability analysis and mitigation

A vulnerability was discovered in the Linux kernel's netfs module, identified as CVE-2024-47733. The issue was found in versions from 6.8 up to (excluding) 6.10.13 and from 6.11 up to (excluding) 6.11.2. The vulnerability relates to improper cleanup of proc filesystem entries when the netfs module is unloaded, which was discovered and reported in October 2024 (NVD).

The vulnerability occurs in the netfs module's exit function where remove_proc_entry() is used instead of remove_proc_subtree() to clean up the '/fs/netfs' directory. When the module is unloaded, it only deletes the proc entry of 'fs/netfs' without deleting its subtree, leading to a resource leak. This issue has been assigned a CVSS v3.1 Base Score of 5.5 (Medium) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability results in a resource leak in the proc filesystem when the netfs module is unloaded. While this doesn't lead to immediate system compromise, it can cause system warnings and potential memory leaks. The issue is classified as CWE-772: Missing Release of Resource after Effective Lifetime (NVD).

The issue has been fixed by replacing remove_proc_entry() with remove_proc_subtree() in the netfs_exit() function. The fix has been implemented in various Linux distributions, including Ubuntu 24.04 LTS (noble) and 24.10 (oracular). Users should update their systems to the patched versions: Ubuntu 24.04 - linux 6.8.0-54.56, Ubuntu 24.10 - linux 6.11.0-18.18 (Ubuntu Security).