CVE-2024-44971

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.50

Description A memory leak vulnerability has been resolved in the Linux kernel. The issue occurs in the bcm sf2 mdio register() function, which calls of phy find device() and then phy device remove() in a loop to remove existing PHY devices. The of phy find device() function eventually calls bus find device(), which calls get device() on the returned struct device * to increment the refcount. However, the current implementation does not decrement the refcount, causing a memory leak. The vulnerability has been fixed by adding a missing phy device free() call to decrement the refcount via put device() to balance the refcount.

Recommendations To resolve the issue, update the Linux kernel to version 6.6.50 or later. As a temporary workaround, consider disabling the bcm sf2 mdio register() function until a patch is available. Restrict access to the vulnerable bcm sf2 module to minimize the risk of exploitation. Avoid using the struct device * parameter in the affected API endpoint until the issue is resolved.