NULL pointer dereference in Linux kernel usb core driver



| Updated: 2025-05-14
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2024-26716
CWE-ID CWE-476
Exploitation vector Local
Public exploit N/A
Vulnerable software
 Linux kernel
Operating systems & Components / Operating system

Vendor Linux Foundation

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) NULL pointer dereference

EUVDB-ID: #VU90609

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-26716

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the update_port_device_state() function in drivers/usb/core/hub.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Linux kernel: 6.6 - 6.8 rc5

CPE2.3 External links

https://git.kernel.org/stable/c/ed85777c640cf9e6920bb1b60ed8cd48e1f4d873
https://git.kernel.org/stable/c/465b545d1d7ef282192ddd4439b08279bdb13f6f
https://git.kernel.org/stable/c/12783c0b9e2c7915a50d5ec829630ff2da50472c
https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.18
https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.7.6
https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.8


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###