CVE-2024-56632: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-56632 is a memory leak vulnerability discovered in the Linux kernel's NVMe-TCP implementation. The vulnerability was disclosed on December 27, 2024, and affects Linux kernel versions from 6.7 up to (excluding) 6.12.5, including version 6.13-rc1. The issue occurs specifically in the NVMe-TCP controller creation process, where memory allocated for the admin queue tagset is not properly freed when controller creation fails (NVD, CVE).

The vulnerability is classified as CWE-401 (Missing Release of Memory after Effective Lifetime) with a CVSS v3.1 base score of 5.5 (Medium). The technical issue stems from a failure to properly free the tagset occupied by admin_q when new controller creation fails. This was identified as a regression from commit fd1418de10b9 which dealt with nvme-tcp admin queue teardown (Kernel Patch).

The vulnerability results in a memory leak condition in the Linux kernel's NVMe-TCP subsystem. When the creation of a new controller fails, the system fails to release allocated memory resources, potentially leading to resource exhaustion over time (NVD).

The vulnerability has been patched in the Linux kernel. The fix involves properly freeing the tagset when controller creation fails by modifying the nvme_tcp_teardown_admin_queue function call. Users should upgrade to Linux kernel version 6.12.5 or later to address this vulnerability (Kernel Patch).