What is CVE-2024-38602?

CVE-2024-38602 is a Medium severity Linux kernel vulnerability with a CVSS score of 5.5 out of 10. CVE-2024-38602 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2024-38602?

CVE-2024-38602 has a CVSS score of 5.5 out of 10, rated Medium severity. The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.

Is there a patch available for CVE-2024-38602?

No patch is currently available for CVE-2024-38602. Monitor the NIST NVD and your Linux distribution's security advisories for updates.

Is CVE-2024-38602 actively exploited?

CVE-2024-38602 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2024-38602

Medium

In the Linux kernel, the following vulnerability has been resolved: ax25: Fix reference count leak issues of ax25_dev The ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference count leak issue of the object "ax25_dev". Memory leak issue in ax25_addr_ax25dev(): The reference count of the object "ax25_dev" can be increased multiple times in ax25_addr_ax25dev(). This will cause a memory leak. Memory leak issues in ax25_dev_device_down(): The reference count of ax25_dev is set to 1 in ax25_dev_device_up() and then increase the reference count when ax25_dev is added to ax25_dev_list. As a result, the reference count of ax25_dev is 2. But when the device is shutting down. The ax25_dev_device_down() drops the reference count once or twice depending on if we goto unlock_put or not, which will cause memory leak. As for the issue of ax25_addr_ax25dev(), it is impossible for one pointer to be on a list twice. So add a break in ax25_addr_ax25dev(). As for the issue of ax25_dev_device_down(), increase the reference count of ax25_dev once in ax25_dev_device_up() and decrease the reference count of ax25_dev after it is removed from the ax25_dev_list.

Package Linux Kernel

Published 2024-06-19

Last modified 2024-11-21

CVSS version 3.1

Patch available

Awaiting data

CVSS 3.1 score

5.5

out of 10

Medium

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

High

Vector string

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

The following references provide additional information about CVE-2024-38602 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/1ea02699c7557eeb35ccff2bd822de1b3e09d868
Patch
Kernel patch commit
https://git.kernel.org/stable/c/38eb01edfdaa1562fa00429be2e33f45383b1b3a
Patch
Kernel patch commit
https://git.kernel.org/stable/c/81d8240b0a243b3ddd8fa8aa172f1acc2f7cc8f3
Patch

5 patch commits total View all on NVD

Details

CVE ID CVE-2024-38602

Severity Medium

CVSS score 5.5 / 10

CVSS version 3.1

Published 2024-06-19

Modified 2024-11-21

KEV No

Patch Awaiting data

Package linux

Frequently asked questions

What is CVE-2024-38602?

CVE-2024-38602 is a Medium severity Linux kernel vulnerability with a CVSS score of 5.5 out of 10 . CVE-2024-38602 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
What is the CVSS score for CVE-2024-38602?

CVE-2024-38602 has a CVSS score of 5.5 out of 10, rated Medium severity (CVSS 3.1). The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.
Is there a patch available for CVE-2024-38602?

No patch is currently available for CVE-2024-38602. Monitor the NIST NVD and your Linux distribution's security advisories for updates.
Is CVE-2024-38602 actively exploited?

No — CVE-2024-38602 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.