5.5
MEDIUM
CVE-2024-44960
Linux Kernel USB Gadget Descriptor Vulnerability
Description

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: core: Check for unset descriptor Make sure the descriptor has been set before looking at maxpacket. This fixes a null pointer panic in this case. This may happen if the gadget doesn't properly set up the endpoint for the current speed, or the gadget descriptors are malformed and the descriptor for the speed/endpoint are not found. No current gadget driver is known to have this problem, but this may cause a hard-to-find bug during development of new gadgets.

INFO

Published Date :

Sept. 4, 2024, 7:15 p.m.

Last Modified :

Oct. 4, 2024, 4:44 p.m.

Source :

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Remotely Exploitable :

No

Impact Score :

3.6

Exploitability Score :

1.8
Affected Products

The following products are affected by CVE-2024-44960 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Linux linux_kernel
: Total Affected Vendor : 1 | Products : 1
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2024-44960.

URL Resource
https://git.kernel.org/stable/c/1a9df57d57452b104c46c918569143cf21d7ebf1 Patch
https://git.kernel.org/stable/c/50c5248b0ea8aae0529fdf28dac42a41312d3b62 Patch
https://git.kernel.org/stable/c/716cba46f73a92645cf13eded8d257ed48afc2a4 Patch
https://git.kernel.org/stable/c/7cc9ebcfe58be22f18056ad8bc6272d120bdcb3e Patch
https://git.kernel.org/stable/c/973a57891608a98e894db2887f278777f564de18 Patch
https://git.kernel.org/stable/c/a0362cd6e503278add954123957fd47990e8d9bf Patch
https://git.kernel.org/stable/c/ba15815dd24cc5ec0d23e2170dc58c7db1e03b4a Patch
https://git.kernel.org/stable/c/df8e734ae5e605348aa0ca2498aedb73e815f244 Patch

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2024-44960 vulnerability anywhere in the article.

The following table lists the changes that have been made to the CVE-2024-44960 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Initial Analysis by [email protected]

    Oct. 04, 2024

    Action Type Old Value New Value
    Added CVSS V3.1 NIST AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
    Changed Reference Type https://git.kernel.org/stable/c/1a9df57d57452b104c46c918569143cf21d7ebf1 No Types Assigned https://git.kernel.org/stable/c/1a9df57d57452b104c46c918569143cf21d7ebf1 Patch
    Changed Reference Type https://git.kernel.org/stable/c/50c5248b0ea8aae0529fdf28dac42a41312d3b62 No Types Assigned https://git.kernel.org/stable/c/50c5248b0ea8aae0529fdf28dac42a41312d3b62 Patch
    Changed Reference Type https://git.kernel.org/stable/c/716cba46f73a92645cf13eded8d257ed48afc2a4 No Types Assigned https://git.kernel.org/stable/c/716cba46f73a92645cf13eded8d257ed48afc2a4 Patch
    Changed Reference Type https://git.kernel.org/stable/c/7cc9ebcfe58be22f18056ad8bc6272d120bdcb3e No Types Assigned https://git.kernel.org/stable/c/7cc9ebcfe58be22f18056ad8bc6272d120bdcb3e Patch
    Changed Reference Type https://git.kernel.org/stable/c/973a57891608a98e894db2887f278777f564de18 No Types Assigned https://git.kernel.org/stable/c/973a57891608a98e894db2887f278777f564de18 Patch
    Changed Reference Type https://git.kernel.org/stable/c/a0362cd6e503278add954123957fd47990e8d9bf No Types Assigned https://git.kernel.org/stable/c/a0362cd6e503278add954123957fd47990e8d9bf Patch
    Changed Reference Type https://git.kernel.org/stable/c/ba15815dd24cc5ec0d23e2170dc58c7db1e03b4a No Types Assigned https://git.kernel.org/stable/c/ba15815dd24cc5ec0d23e2170dc58c7db1e03b4a Patch
    Changed Reference Type https://git.kernel.org/stable/c/df8e734ae5e605348aa0ca2498aedb73e815f244 No Types Assigned https://git.kernel.org/stable/c/df8e734ae5e605348aa0ca2498aedb73e815f244 Patch
    Added CWE NIST CWE-476
    Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions up to (excluding) 3.16.80 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 3.17 up to (excluding) 4.4.199 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.5 up to (excluding) 4.9.199 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.10 up to (excluding) 4.14.152 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.15 up to (excluding) 4.19.320 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.20 up to (excluding) 5.3.9 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.4 up to (excluding) 5.4.282 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.5 up to (excluding) 5.10.224 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11 up to (excluding) 5.15.165 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16 up to (excluding) 6.1.105 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.2 up to (excluding) 6.6.46 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.7 up to (excluding) 6.10.5 *cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*
  • CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Sep. 04, 2024

    Action Type Old Value New Value
    Added Description In the Linux kernel, the following vulnerability has been resolved: usb: gadget: core: Check for unset descriptor Make sure the descriptor has been set before looking at maxpacket. This fixes a null pointer panic in this case. This may happen if the gadget doesn't properly set up the endpoint for the current speed, or the gadget descriptors are malformed and the descriptor for the speed/endpoint are not found. No current gadget driver is known to have this problem, but this may cause a hard-to-find bug during development of new gadgets.
    Added Reference kernel.org https://git.kernel.org/stable/c/ba15815dd24cc5ec0d23e2170dc58c7db1e03b4a [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/df8e734ae5e605348aa0ca2498aedb73e815f244 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/7cc9ebcfe58be22f18056ad8bc6272d120bdcb3e [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/50c5248b0ea8aae0529fdf28dac42a41312d3b62 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/a0362cd6e503278add954123957fd47990e8d9bf [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/1a9df57d57452b104c46c918569143cf21d7ebf1 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/716cba46f73a92645cf13eded8d257ed48afc2a4 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/973a57891608a98e894db2887f278777f564de18 [No types assigned]
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2024-44960 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2024-44960 weaknesses.

CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
: