CVE-2024-26749 : In the Linux kernel, the following vulnerability has been resolved: usb: cdns3:

In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: fixed memory use after free at cdns3_gadget_ep_disable() ... cdns3_gadget_ep_free_request(&priv_ep->endpoint, &priv_req->request); list_del_init(&priv_req->list); ... 'priv_req' actually free at cdns3_gadget_ep_free_request(). But list_del_init() use priv_req->list after it. [ 1542.642868][ T534] BUG: KFENCE: use-after-free read in __list_del_entry_valid+0x10/0xd4 [ 1542.642868][ T534] [ 1542.653162][ T534] Use-after-free read at 0x000000009ed0ba99 (in kfence-#3): [ 1542.660311][ T534] __list_del_entry_valid+0x10/0xd4 [ 1542.665375][ T534] cdns3_gadget_ep_disable+0x1f8/0x388 [cdns3] [ 1542.671571][ T534] usb_ep_disable+0x44/0xe4 [ 1542.675948][ T534] ffs_func_eps_disable+0x64/0xc8 [ 1542.680839][ T534] ffs_func_set_alt+0x74/0x368 [ 1542.685478][ T534] ffs_func_disable+0x18/0x28 Move list_del_init() before cdns3_gadget_ep_free_request() to resolve this problem.

Published 2024-04-03 17:15:52

Updated 2025-01-14 17:28:08

Source Linux

View at NVD, CVE.org

Vulnerability category: Memory Corruption

Products affected by CVE-2024-26749

Linux » Linux Kernel
Versions from including (>=) 6.7 and before (<) 6.7.7
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 5.5 and before (<) 5.10.211
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 6.2 and before (<) 6.6.19
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 5.4 and before (<) 5.4.270
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 5.16 and before (<) 6.1.80
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 5.11 and before (<) 5.15.150
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 6.8 Update RC1
cpe:2.3:o:linux:linux_kernel:6.8:rc1:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 6.8 Update RC2
cpe:2.3:o:linux:linux_kernel:6.8:rc2:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 6.8 Update RC3
cpe:2.3:o:linux:linux_kernel:6.8:rc3:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 6.8 Update RC4
cpe:2.3:o:linux:linux_kernel:6.8:rc4:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel » Version: 6.8 Update RC5
cpe:2.3:o:linux:linux_kernel:6.8:rc5:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2024-26749

EPSS FAQ

0.05%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 15 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2024-26749

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	NIST	2025-01-14
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2024-26749

CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2024-26749

https://git.kernel.org/stable/c/cd45f99034b0c8c9cb346dd0d6407a95ca3d36f6

usb: cdns3: fixed memory use after free at cdns3_gadget_ep_disable() - kernel/git/stable/linux.git - Linux kernel stable tree
Patch
https://git.kernel.org/stable/c/4e5c73b15d95452c1ba9c771dd013a3fbe052ff3

usb: cdns3: fixed memory use after free at cdns3_gadget_ep_disable() - kernel/git/stable/linux.git - Linux kernel stable tree
Patch
https://git.kernel.org/stable/c/b40328eea93c75a5645891408010141a0159f643

usb: cdns3: fixed memory use after free at cdns3_gadget_ep_disable() - kernel/git/stable/linux.git - Linux kernel stable tree
Patch
https://git.kernel.org/stable/c/29e42e1578a10c611b3f1a38f3229b2d664b5d16

usb: cdns3: fixed memory use after free at cdns3_gadget_ep_disable() - kernel/git/stable/linux.git - Linux kernel stable tree
Patch
https://git.kernel.org/stable/c/9a07244f614bc417de527b799da779dcae780b5d

usb: cdns3: fixed memory use after free at cdns3_gadget_ep_disable() - kernel/git/stable/linux.git - Linux kernel stable tree
Patch
https://git.kernel.org/stable/c/cfa9abb5570c489dabf6f7fb3a066cc576fc8824

usb: cdns3: fixed memory use after free at cdns3_gadget_ep_disable() - kernel/git/stable/linux.git - Linux kernel stable tree
Patch
https://git.kernel.org/stable/c/2134e9906e17b1e5284300fab547869ebacfd7d9

usb: cdns3: fixed memory use after free at cdns3_gadget_ep_disable() - kernel/git/stable/linux.git - Linux kernel stable tree
Patch
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html

[SECURITY] [DLA 3842-1] linux-5.10 security update
Mailing List

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2024-26749

Products affected by CVE-2024-26749

Exploit prediction scoring system (EPSS) score for CVE-2024-26749

CVSS scores for CVE-2024-26749

CWE ids for CVE-2024-26749

References for CVE-2024-26749