Sidraya Jayagond

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.10.0-rc7 **Description** The issue is related to a memory leak in the Linux kernel, specifically in the s390/iucv component. When the MSG PEEK flag is passed to `skb recv datagram()`, it increments the `skb->users` refcount, but `iucv sock recvmsg()` does not decrement the refcount at exit. This results in a memory leak in `skb queue purge()` and a WARN ON in `iucv sock destruct()` during socket close. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. Technical details about exploitation include: - The `MSG PEEK` flag is used in the `skb recv datagram()` function. - The `skb->users` refcount is incremented when the `MSG PEEK` flag is passed. - The `iucv sock recvmsg()` function does not decrement the `skb->users` refcount at exit. - The memory leak occurs in `skb queue purge()`. - A WARN ON is triggered in `iucv sock destruct()` during socket close. **Recommendations** To resolve the issue, decrease the `skb->users` refcount by one if the `MSG PEEK` flag is set to prevent the memory leak and WARN ON. As a temporary workaround, consider disabling the `iucv sock destruct()` function until a patch is available. Restrict access to the `skb recv datagram()` function to minimize the risk of exploitation. Avoid using the `MSG PEEK` flag in the affected API endpoint until the issue is resolved.