CVE-2024-36009

CVSS v3.1

5.5

Medium

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.37

Description A vulnerability has been resolved in the Linux kernel, specifically in the ax25 module, which handles Amateur Radio AX.25 packet protocol. The issue is related to a netdev refcount problem. When the ax25 device is detaching, the dev tracker of ax25 cb should be deallocated in ax25 kill by device() instead of the dev tracker of ax25 dev. The log reported by ref tracker shows a reference already released error. The vulnerability can be mitigated by changing ax25 dev->dev tracker to the dev tracker of ax25 cb.

Recommendations To resolve the issue, update the Linux kernel to version 6.6.37 or later. For versions prior to 6.6.37, change ax25 dev->dev tracker to the dev tracker of ax25 cb to mitigate the bug.

Exploit

Fix

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770

Related Identifiers

AZL-42121

AZL-67706

BDU:2025-08076

CVE-2024-36009

MGASA-2024-0263

MGASA-2024-0266

OPENSUSE-SU-2024_3190-1

OPENSUSE-SU-2024_3209-1

OPENSUSE-SU-2024_3483-1

SUSE-SU-2024:2135-1

SUSE-SU-2024:2203-1

SUSE-SU-2024:2973-1

SUSE-SU-2024:3190-1

SUSE-SU-2024:3209-1

SUSE-SU-2024:3483-1

SUSE-SU-2025:20008-1

SUSE-SU-2025:20028-1

SUSE-SU-2025:20166-1

SUSE-SU-2025:20249-1

USN-6949-1

USN-6949-2

USN-6952-1

USN-6952-2

USN-6955-1

Affected Products

Astra Linux

Debian

Linuxmint

Linux Kernel

Red Os

Suse

Ubuntu

CVE-2024-36009

Weakness Enumeration

Related Identifiers

Affected Products

References · 3670