CVE-2024-50267
📋 TL;DR
This CVE describes a use-after-free vulnerability in the Linux kernel's USB serial io_edgeport driver. An attacker could potentially exploit this to cause kernel memory corruption, leading to system crashes or arbitrary code execution with kernel privileges. Systems running affected Linux kernel versions with the io_edgeport driver loaded are vulnerable.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel privilege escalation leading to full system compromise, denial of service through kernel panic, or arbitrary code execution with kernel privileges.
Likely Case
System crash or kernel panic resulting in denial of service, requiring physical access or reboot to restore functionality.
If Mitigated
Minimal impact if the io_edgeport driver is not loaded or USB serial devices are not in use.
🎯 Exploit Status
Exploitation requires triggering the specific debug printk code path after usb_free_urb, which may require specific USB device conditions or kernel debugging enabled.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patched in stable kernel commits: 13d6ff3ca76056d06a9d88300be2a293442ff595, 275258c30bbda29467216e96fb655b16bcc9992b, 314bdf446053e123f37543aa535197ee75f8aa97, 37bb5628379295c1254c113a407cab03a0f4d0b4, 39709ce93f5c3f9eb535efe2afea088805d1128f
Vendor Advisory: https://git.kernel.org/stable/c/13d6ff3ca76056d06a9d88300be2a293442ff595
Restart Required: Yes
Instructions:
1. Update Linux kernel to a version containing the fix commits. 2. For distributions: Use package manager (apt/yum/dnf) to install latest kernel updates. 3. Reboot system to load patched kernel.
🔧 Temporary Workarounds
Disable io_edgeport driver
linuxPrevent loading of the vulnerable driver module
echo 'blacklist io_edgeport' >> /etc/modprobe.d/blacklist.conf
rmmod io_edgeport
Disable kernel debugging
linuxReduce likelihood of triggering the vulnerable debug code path
echo 0 > /sys/module/dynamic_debug/parameters/verbose
🧯 If You Can't Patch
- Restrict physical USB device access to trusted personnel only
- Implement strict USB device control policies and monitoring
🔍 How to Verify
Check if Vulnerable:
Check if io_edgeport module is loaded: lsmod | grep io_edgeport. Check kernel version against patched versions.Check Version:
uname -rVerify Fix Applied:
Verify kernel version includes fix commits: uname -r. Check that io_edgeport module is either not loaded or from patched kernel.📡 Detection & Monitoring
Log Indicators:
- Kernel oops messages
- USB serial driver error messages
- System crash/panic logs
Network Indicators:
- None - local vulnerability only
SIEM Query:
source="kernel" AND ("io_edgeport" OR "use after free" OR "general protection fault")🔗 References
- https://git.kernel.org/stable/c/13d6ff3ca76056d06a9d88300be2a293442ff595
- https://git.kernel.org/stable/c/275258c30bbda29467216e96fb655b16bcc9992b
- https://git.kernel.org/stable/c/314bdf446053e123f37543aa535197ee75f8aa97
- https://git.kernel.org/stable/c/37bb5628379295c1254c113a407cab03a0f4d0b4
- https://git.kernel.org/stable/c/39709ce93f5c3f9eb535efe2afea088805d1128f
- https://git.kernel.org/stable/c/44fff2c16c5aafbdb70c7183dae0a415ae74705e
- https://git.kernel.org/stable/c/e567fc8f7a4460e486e52c9261b1e8b9f5dc42aa
- https://git.kernel.org/stable/c/e6ceb04eeb6115d872d4c4078d12f1170ed755ce
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
