CVE-2024-46674
📋 TL;DR
A use-after-free vulnerability in the Linux kernel's DWC3 USB driver for STMicroelectronics platforms could allow local attackers to crash the system or potentially execute arbitrary code. This affects Linux systems with specific USB hardware configurations where the driver probe function fails. Attackers need local access to exploit this vulnerability.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Local privilege escalation leading to kernel compromise, system crash, or arbitrary code execution with kernel privileges.
Likely Case
Kernel panic or system crash when USB device initialization fails, causing denial of service.
If Mitigated
Limited impact with proper access controls preventing local attackers from triggering the vulnerable code path.
🎯 Exploit Status
Exploitation requires local access and ability to trigger specific USB driver initialization failures. No public exploits known at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel commits: 060f41243ad7f6f5249fa7290dda0c01f723d12d, 1de989668708ce5875efc9d669d227212aeb9a90, 4c6735299540f3c82a5033d35be76a5c42e0fb18, 6aee4c5635d81f4809c3b9f0c198a65adfbb2ada, b0979a885b9d4df2a25b88e9d444ccaa5f9f495c
Vendor Advisory: https://git.kernel.org/stable/c/060f41243ad7f6f5249fa7290dda0c01f723d12d
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution. 2. For custom kernels, apply the relevant git commits. 3. Reboot system to load new kernel.
🔧 Temporary Workarounds
Disable affected USB controller
linuxPrevent loading of the vulnerable DWC3 ST driver module
echo 'blacklist dwc3-st' > /etc/modprobe.d/disable-dwc3-st.conf
update-initramfs -u
reboot
🧯 If You Can't Patch
- Restrict local user access to prevent triggering vulnerable code paths
- Implement strict USB device connection policies to reduce driver initialization failures
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if DWC3 ST driver is loaded: 'uname -r' and 'lsmod | grep dwc3'Check Version:
uname -rVerify Fix Applied:
Verify kernel version is updated and check for presence of fix commits in kernel source📡 Detection & Monitoring
Log Indicators:
- Kernel oops messages related to USB/DWC3 driver
- System crashes during USB device initialization
Network Indicators:
- None - local vulnerability only
SIEM Query:
search 'kernel: BUG:' OR 'kernel: Oops:' AND 'dwc3' OR 'usb'🔗 References
- https://git.kernel.org/stable/c/060f41243ad7f6f5249fa7290dda0c01f723d12d
- https://git.kernel.org/stable/c/1de989668708ce5875efc9d669d227212aeb9a90
- https://git.kernel.org/stable/c/4c6735299540f3c82a5033d35be76a5c42e0fb18
- https://git.kernel.org/stable/c/6aee4c5635d81f4809c3b9f0c198a65adfbb2ada
- https://git.kernel.org/stable/c/b0979a885b9d4df2a25b88e9d444ccaa5f9f495c
- https://git.kernel.org/stable/c/ddfcfeba891064b88bb844208b43bef2ef970f0c
- https://git.kernel.org/stable/c/e1e5e8ea2731150d5ba7c707f9e02fafebcfeb49
- https://git.kernel.org/stable/c/f3498650df0805c75b4e1c94d07423c46cbf4ce1
- https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
