CVE-2024-44960
📋 TL;DR
This CVE describes a null pointer dereference vulnerability in the Linux kernel's USB gadget core. If a USB gadget driver fails to properly set up endpoint descriptors for the current speed, the kernel may crash when accessing uninitialized memory. This affects systems using USB gadget functionality, particularly embedded devices and development systems.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, potentially requiring physical intervention to restart affected devices.
Likely Case
System crash or instability when using improperly configured USB gadget drivers, primarily affecting development environments.
If Mitigated
No impact for properly configured systems using standard, well-tested USB gadget drivers.
🎯 Exploit Status
Exploitation requires ability to load or use custom USB gadget drivers. The vulnerability is triggered by malformed descriptors, not arbitrary code execution.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions containing the fix commits: 1a9df57d57452b104c46c918569143cf21d7ebf1 and related commits
Vendor Advisory: https://git.kernel.org/stable/c/1a9df57d57452b104c46c918569143cf21d7ebf1
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. For distributions: Use package manager (apt/yum/dnf) to update kernel package. 3. Reboot system to load new kernel.
🔧 Temporary Workarounds
Disable USB gadget functionality
linuxRemove or disable USB gadget kernel modules if not required
rmmod g_ether
rmmod g_serial
rmmod g_mass_storage
rmmod usb_f_*
rmmod libcomposite
Blacklist USB gadget modules
linuxPrevent loading of USB gadget modules at boot
echo 'blacklist g_ether' >> /etc/modprobe.d/blacklist-usb-gadget.conf
echo 'blacklist g_serial' >> /etc/modprobe.d/blacklist-usb-gadget.conf
echo 'blacklist g_mass_storage' >> /etc/modprobe.d/blacklist-usb-gadget.conf
update-initramfs -u
🧯 If You Can't Patch
- Restrict access to USB gadget configuration to trusted users only
- Audit and validate any custom USB gadget drivers before deployment
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if USB gadget modules are loaded: lsmod | grep -E 'g_|usb_f_'Check Version:
uname -rVerify Fix Applied:
Verify kernel version includes fix commits or is newer than vulnerable versions📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages in /var/log/kern.log or dmesg
- Null pointer dereference errors mentioning USB gadget or endpoint descriptors
Network Indicators:
- None - this is a local kernel vulnerability
SIEM Query:
source="kernel" AND ("panic" OR "Oops" OR "null pointer") AND ("usb" OR "gadget" OR "endpoint")🔗 References
- https://git.kernel.org/stable/c/1a9df57d57452b104c46c918569143cf21d7ebf1
- https://git.kernel.org/stable/c/50c5248b0ea8aae0529fdf28dac42a41312d3b62
- https://git.kernel.org/stable/c/716cba46f73a92645cf13eded8d257ed48afc2a4
- https://git.kernel.org/stable/c/7cc9ebcfe58be22f18056ad8bc6272d120bdcb3e
- https://git.kernel.org/stable/c/973a57891608a98e894db2887f278777f564de18
- https://git.kernel.org/stable/c/a0362cd6e503278add954123957fd47990e8d9bf
- https://git.kernel.org/stable/c/ba15815dd24cc5ec0d23e2170dc58c7db1e03b4a
- https://git.kernel.org/stable/c/df8e734ae5e605348aa0ca2498aedb73e815f244
- https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
