CVE-2024-26748: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: fix memory double free when handle zero packet 829 if (request->complete) { 830 spin_unlock(&priv_dev->lock); 831 usb_gadget_giveback_request(&priv_ep->endpoint, 832 request); 833 spin_lock(&priv_dev->lock); 834 } 835 836 if (request->buf == priv_dev->zlp_buf) 837 cdns3_gadget_ep_free_request(&priv_ep->endpoint, request); Driver append an additional zero packet request when queue a packet, which length mod max packet size is 0. When transfer complete, run to line 831, usb_gadget_giveback_request() will free this requestion. 836 condition is true, so cdns3_gadget_ep_free_request() free this request again. Log: [ 1920.140696][ T150] BUG: KFENCE: use-after-free read in cdns3_gadget_giveback+0x134/0x2c0 [cdns3] [ 1920.140696][ T150] [ 1920.151837][ T150] Use-after-free read at 0x000000003d1cd10b (in kfence-#36): [ 1920.159082][ T150] cdns3_gadget_giveback+0x134/0x2c0 [cdns3] [ 1920.164988][ T150] cdns3_transfer_completed+0x438/0x5f8 [cdns3] Add check at line 829, skip call usb_gadget_giveback_request() if it is additional zero length packet request. Needn't call usb_gadget_giveback_request() because it is allocated in this driver.
AI Analysis
Technical Summary
CVE-2024-26748 is a vulnerability identified in the Linux kernel's USB gadget driver for Cadence USB3 (cdns3). The flaw arises due to a double free of memory when handling zero-length packets (ZLPs) during USB data transfers. Specifically, the driver appends an additional zero-length packet request when queuing a packet whose length is a multiple of the maximum packet size. Upon transfer completion, the function usb_gadget_giveback_request() frees this request. However, the driver then erroneously frees the same request again via cdns3_gadget_ep_free_request(), resulting in a double free condition. This double free can lead to use-after-free reads, as evidenced by kernel fault logs showing KFENCE (Kernel Electric Fence) detecting use-after-free reads in the cdns3_gadget_giveback function. The root cause is the lack of a check to skip the usb_gadget_giveback_request() call for the additional zero-length packet request, which is allocated internally by the driver and should not be freed twice. The patch involves adding a conditional check to prevent this double free by skipping the call to usb_gadget_giveback_request() for the additional zero-length packet request. This vulnerability affects Linux kernel versions containing the affected commit hashes referenced, and it is relevant to systems using the cdns3 USB gadget driver, typically embedded or specialized devices using Cadence USB3 controllers. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
The vulnerability can cause kernel memory corruption due to double free and use-after-free conditions, potentially leading to system instability, crashes (kernel panics), or denial of service (DoS). In worst-case scenarios, an attacker with the ability to send crafted USB packets to a vulnerable device could exploit this flaw to execute arbitrary code within the kernel context, escalating privileges or compromising system integrity. For European organizations, the impact is significant especially for those relying on Linux-based embedded systems, IoT devices, or specialized hardware using the cdns3 USB gadget driver. Such devices are common in industrial control systems, telecommunications infrastructure, and network appliances. Disruption or compromise of these systems could affect critical infrastructure, data confidentiality, and operational continuity. Additionally, the vulnerability could be leveraged in targeted attacks against organizations with physical or remote USB access to vulnerable devices. However, exploitation requires specific conditions such as access to the USB gadget interface, which may limit the attack surface to local or physically proximate attackers.
Mitigation Recommendations
Organizations should promptly apply the Linux kernel patches that address CVE-2024-26748 once available from their Linux distribution vendors or kernel maintainers. For systems where immediate patching is not feasible, mitigating controls include disabling or restricting USB gadget functionality if not required, or limiting physical and logical access to USB interfaces on vulnerable devices. Monitoring kernel logs for unusual USB gadget driver errors or kernel faults can help detect exploitation attempts. Additionally, organizations should implement strict device control policies to prevent unauthorized USB device connections. For embedded and IoT devices, firmware updates incorporating the patched kernel should be prioritized. Security teams should also conduct asset inventories to identify devices using the cdns3 driver and assess exposure. Network segmentation and isolation of critical devices can reduce the risk of lateral movement if exploitation occurs.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Sweden, Finland
CVE-2024-26748: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: fix memory double free when handle zero packet 829 if (request->complete) { 830 spin_unlock(&priv_dev->lock); 831 usb_gadget_giveback_request(&priv_ep->endpoint, 832 request); 833 spin_lock(&priv_dev->lock); 834 } 835 836 if (request->buf == priv_dev->zlp_buf) 837 cdns3_gadget_ep_free_request(&priv_ep->endpoint, request); Driver append an additional zero packet request when queue a packet, which length mod max packet size is 0. When transfer complete, run to line 831, usb_gadget_giveback_request() will free this requestion. 836 condition is true, so cdns3_gadget_ep_free_request() free this request again. Log: [ 1920.140696][ T150] BUG: KFENCE: use-after-free read in cdns3_gadget_giveback+0x134/0x2c0 [cdns3] [ 1920.140696][ T150] [ 1920.151837][ T150] Use-after-free read at 0x000000003d1cd10b (in kfence-#36): [ 1920.159082][ T150] cdns3_gadget_giveback+0x134/0x2c0 [cdns3] [ 1920.164988][ T150] cdns3_transfer_completed+0x438/0x5f8 [cdns3] Add check at line 829, skip call usb_gadget_giveback_request() if it is additional zero length packet request. Needn't call usb_gadget_giveback_request() because it is allocated in this driver.
AI-Powered Analysis
Technical Analysis
CVE-2024-26748 is a vulnerability identified in the Linux kernel's USB gadget driver for Cadence USB3 (cdns3). The flaw arises due to a double free of memory when handling zero-length packets (ZLPs) during USB data transfers. Specifically, the driver appends an additional zero-length packet request when queuing a packet whose length is a multiple of the maximum packet size. Upon transfer completion, the function usb_gadget_giveback_request() frees this request. However, the driver then erroneously frees the same request again via cdns3_gadget_ep_free_request(), resulting in a double free condition. This double free can lead to use-after-free reads, as evidenced by kernel fault logs showing KFENCE (Kernel Electric Fence) detecting use-after-free reads in the cdns3_gadget_giveback function. The root cause is the lack of a check to skip the usb_gadget_giveback_request() call for the additional zero-length packet request, which is allocated internally by the driver and should not be freed twice. The patch involves adding a conditional check to prevent this double free by skipping the call to usb_gadget_giveback_request() for the additional zero-length packet request. This vulnerability affects Linux kernel versions containing the affected commit hashes referenced, and it is relevant to systems using the cdns3 USB gadget driver, typically embedded or specialized devices using Cadence USB3 controllers. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
The vulnerability can cause kernel memory corruption due to double free and use-after-free conditions, potentially leading to system instability, crashes (kernel panics), or denial of service (DoS). In worst-case scenarios, an attacker with the ability to send crafted USB packets to a vulnerable device could exploit this flaw to execute arbitrary code within the kernel context, escalating privileges or compromising system integrity. For European organizations, the impact is significant especially for those relying on Linux-based embedded systems, IoT devices, or specialized hardware using the cdns3 USB gadget driver. Such devices are common in industrial control systems, telecommunications infrastructure, and network appliances. Disruption or compromise of these systems could affect critical infrastructure, data confidentiality, and operational continuity. Additionally, the vulnerability could be leveraged in targeted attacks against organizations with physical or remote USB access to vulnerable devices. However, exploitation requires specific conditions such as access to the USB gadget interface, which may limit the attack surface to local or physically proximate attackers.
Mitigation Recommendations
Organizations should promptly apply the Linux kernel patches that address CVE-2024-26748 once available from their Linux distribution vendors or kernel maintainers. For systems where immediate patching is not feasible, mitigating controls include disabling or restricting USB gadget functionality if not required, or limiting physical and logical access to USB interfaces on vulnerable devices. Monitoring kernel logs for unusual USB gadget driver errors or kernel faults can help detect exploitation attempts. Additionally, organizations should implement strict device control policies to prevent unauthorized USB device connections. For embedded and IoT devices, firmware updates incorporating the patched kernel should be prioritized. Security teams should also conduct asset inventories to identify devices using the cdns3 driver and assess exposure. Network segmentation and isolation of critical devices can reduce the risk of lateral movement if exploitation occurs.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.168Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ac4522896dcbe3a17
Added to database: 5/21/2025, 9:08:58 AM
Last enriched: 6/29/2025, 6:10:22 PM
Last updated: 8/7/2025, 9:48:12 PM
Views: 12
Related Threats
CVE-2025-8827: OS Command Injection in Linksys RE6250
MediumCVE-2025-8826: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-8825: OS Command Injection in Linksys RE6250
MediumCVE-2025-8824: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-8823: OS Command Injection in Linksys RE6250
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.