CVE-2024-26996: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error When ncm function is working and then stop usb0 interface for link down, eth_stop() is called. At this piont, accidentally if usb transport error should happen in usb_ep_enable(), 'in_ep' and/or 'out_ep' may not be enabled. After that, ncm_disable() is called to disable for ncm unbind but gether_disconnect() is never called since 'in_ep' is not enabled. As the result, ncm object is released in ncm unbind but 'dev->port_usb' associated to 'ncm->port' is not NULL. And when ncm bind again to recover netdev, ncm object is reallocated but usb0 interface is already associated to previous released ncm object. Therefore, once usb0 interface is up and eth_start_xmit() is called, released ncm object is dereferrenced and it might cause use-after-free memory. [function unlink via configfs] usb0: eth_stop dev->port_usb=ffffff9b179c3200 --> error happens in usb_ep_enable(). NCM: ncm_disable: ncm=ffffff9b179c3200 --> no gether_disconnect() since ncm->port.in_ep->enabled is false. NCM: ncm_unbind: ncm unbind ncm=ffffff9b179c3200 NCM: ncm_free: ncm free ncm=ffffff9b179c3200 <-- released ncm [function link via configfs] NCM: ncm_alloc: ncm alloc ncm=ffffff9ac4f8a000 NCM: ncm_bind: ncm bind ncm=ffffff9ac4f8a000 NCM: ncm_set_alt: ncm=ffffff9ac4f8a000 alt=0 usb0: eth_open dev->port_usb=ffffff9b179c3200 <-- previous released ncm usb0: eth_start dev->port_usb=ffffff9b179c3200 <-- eth_start_xmit() --> dev->wrap() Unable to handle kernel paging request at virtual address dead00000000014f This patch addresses the issue by checking if 'ncm->netdev' is not NULL at ncm_disable() to call gether_disconnect() to deassociate 'dev->port_usb'. It's more reasonable to check 'ncm->netdev' to call gether_connect/disconnect rather than check 'ncm->port.in_ep->enabled' since it might not be enabled but the gether connection might be established.
AI Analysis
Technical Summary
CVE-2024-26996 is a use-after-free (UAF) vulnerability in the Linux kernel's USB gadget subsystem, specifically within the function driver for Network Control Model (NCM) USB Ethernet devices. The vulnerability arises during the sequence of stopping and restarting the USB network interface (usb0) when a USB transport error occurs at a critical point in the endpoint enabling process (usb_ep_enable). When the NCM function is active and the usb0 interface is stopped (link down), the eth_stop() function is called. If a USB transport error happens during usb_ep_enable(), the input and/or output endpoints ('in_ep'/'out_ep') may not be enabled as expected. Subsequently, when ncm_disable() is called to unbind the NCM function, the gether_disconnect() function—which is responsible for properly dissociating the USB port from the NCM object—is not invoked because it checks the enabled state of 'in_ep', which is false due to the error. This results in the NCM object being freed while the USB port reference ('dev->port_usb') still points to the now-released NCM object. When the NCM function is rebound and the usb0 interface is brought back up, the system mistakenly associates the interface with the previously freed NCM object. This leads to a use-after-free condition when eth_start_xmit() attempts to dereference the stale pointer, potentially causing a kernel crash or arbitrary code execution. The patch fixes this by changing the condition to check if 'ncm->netdev' is not NULL before calling gether_disconnect(), ensuring proper cleanup regardless of endpoint enabled state. This vulnerability affects Linux kernel versions containing the specified commit hashes and is relevant to systems using the USB NCM gadget driver, commonly used in embedded devices and network interface implementations over USB.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the affected USB NCM gadget driver enabled. This includes embedded systems, IoT devices, routers, and specialized network appliances that use USB-based Ethernet interfaces. Exploitation could lead to kernel crashes resulting in denial of service, or potentially privilege escalation or arbitrary code execution if an attacker can trigger the use-after-free condition. This could disrupt critical network infrastructure, especially in sectors relying on embedded Linux devices such as telecommunications, industrial control systems, and automotive industries prevalent in Europe. The vulnerability could also impact development and testing environments using USB network gadgets. Given the kernel-level nature of the flaw, successful exploitation could compromise system integrity and availability, affecting business continuity and operational technology environments. Although no known exploits are reported in the wild yet, the complexity of the flaw and its kernel-level impact warrant prompt attention.
Mitigation Recommendations
European organizations should take the following specific actions: 1) Identify and inventory Linux systems using USB NCM gadget drivers, especially embedded devices and network appliances. 2) Apply the official Linux kernel patches that address CVE-2024-26996 as soon as they become available from trusted sources or vendor updates. 3) If immediate patching is not feasible, consider disabling the USB NCM gadget functionality on affected devices to prevent triggering the vulnerable code path. 4) Implement strict access controls to limit USB device connections and usage on critical systems to reduce the attack surface. 5) Monitor kernel logs and system behavior for unusual USB transport errors or crashes related to usb0 interfaces. 6) Engage with device vendors to ensure firmware and kernel updates incorporate the fix. 7) For development teams, review USB gadget usage patterns and error handling to avoid similar issues. 8) Employ kernel hardening techniques and runtime protections such as Kernel Address Space Layout Randomization (KASLR) and Kernel Page Table Isolation (KPTI) to mitigate exploitation impact.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Sweden, Finland
CVE-2024-26996: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error When ncm function is working and then stop usb0 interface for link down, eth_stop() is called. At this piont, accidentally if usb transport error should happen in usb_ep_enable(), 'in_ep' and/or 'out_ep' may not be enabled. After that, ncm_disable() is called to disable for ncm unbind but gether_disconnect() is never called since 'in_ep' is not enabled. As the result, ncm object is released in ncm unbind but 'dev->port_usb' associated to 'ncm->port' is not NULL. And when ncm bind again to recover netdev, ncm object is reallocated but usb0 interface is already associated to previous released ncm object. Therefore, once usb0 interface is up and eth_start_xmit() is called, released ncm object is dereferrenced and it might cause use-after-free memory. [function unlink via configfs] usb0: eth_stop dev->port_usb=ffffff9b179c3200 --> error happens in usb_ep_enable(). NCM: ncm_disable: ncm=ffffff9b179c3200 --> no gether_disconnect() since ncm->port.in_ep->enabled is false. NCM: ncm_unbind: ncm unbind ncm=ffffff9b179c3200 NCM: ncm_free: ncm free ncm=ffffff9b179c3200 <-- released ncm [function link via configfs] NCM: ncm_alloc: ncm alloc ncm=ffffff9ac4f8a000 NCM: ncm_bind: ncm bind ncm=ffffff9ac4f8a000 NCM: ncm_set_alt: ncm=ffffff9ac4f8a000 alt=0 usb0: eth_open dev->port_usb=ffffff9b179c3200 <-- previous released ncm usb0: eth_start dev->port_usb=ffffff9b179c3200 <-- eth_start_xmit() --> dev->wrap() Unable to handle kernel paging request at virtual address dead00000000014f This patch addresses the issue by checking if 'ncm->netdev' is not NULL at ncm_disable() to call gether_disconnect() to deassociate 'dev->port_usb'. It's more reasonable to check 'ncm->netdev' to call gether_connect/disconnect rather than check 'ncm->port.in_ep->enabled' since it might not be enabled but the gether connection might be established.
AI-Powered Analysis
Technical Analysis
CVE-2024-26996 is a use-after-free (UAF) vulnerability in the Linux kernel's USB gadget subsystem, specifically within the function driver for Network Control Model (NCM) USB Ethernet devices. The vulnerability arises during the sequence of stopping and restarting the USB network interface (usb0) when a USB transport error occurs at a critical point in the endpoint enabling process (usb_ep_enable). When the NCM function is active and the usb0 interface is stopped (link down), the eth_stop() function is called. If a USB transport error happens during usb_ep_enable(), the input and/or output endpoints ('in_ep'/'out_ep') may not be enabled as expected. Subsequently, when ncm_disable() is called to unbind the NCM function, the gether_disconnect() function—which is responsible for properly dissociating the USB port from the NCM object—is not invoked because it checks the enabled state of 'in_ep', which is false due to the error. This results in the NCM object being freed while the USB port reference ('dev->port_usb') still points to the now-released NCM object. When the NCM function is rebound and the usb0 interface is brought back up, the system mistakenly associates the interface with the previously freed NCM object. This leads to a use-after-free condition when eth_start_xmit() attempts to dereference the stale pointer, potentially causing a kernel crash or arbitrary code execution. The patch fixes this by changing the condition to check if 'ncm->netdev' is not NULL before calling gether_disconnect(), ensuring proper cleanup regardless of endpoint enabled state. This vulnerability affects Linux kernel versions containing the specified commit hashes and is relevant to systems using the USB NCM gadget driver, commonly used in embedded devices and network interface implementations over USB.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the affected USB NCM gadget driver enabled. This includes embedded systems, IoT devices, routers, and specialized network appliances that use USB-based Ethernet interfaces. Exploitation could lead to kernel crashes resulting in denial of service, or potentially privilege escalation or arbitrary code execution if an attacker can trigger the use-after-free condition. This could disrupt critical network infrastructure, especially in sectors relying on embedded Linux devices such as telecommunications, industrial control systems, and automotive industries prevalent in Europe. The vulnerability could also impact development and testing environments using USB network gadgets. Given the kernel-level nature of the flaw, successful exploitation could compromise system integrity and availability, affecting business continuity and operational technology environments. Although no known exploits are reported in the wild yet, the complexity of the flaw and its kernel-level impact warrant prompt attention.
Mitigation Recommendations
European organizations should take the following specific actions: 1) Identify and inventory Linux systems using USB NCM gadget drivers, especially embedded devices and network appliances. 2) Apply the official Linux kernel patches that address CVE-2024-26996 as soon as they become available from trusted sources or vendor updates. 3) If immediate patching is not feasible, consider disabling the USB NCM gadget functionality on affected devices to prevent triggering the vulnerable code path. 4) Implement strict access controls to limit USB device connections and usage on critical systems to reduce the attack surface. 5) Monitor kernel logs and system behavior for unusual USB transport errors or crashes related to usb0 interfaces. 6) Engage with device vendors to ensure firmware and kernel updates incorporate the fix. 7) For development teams, review USB gadget usage patterns and error handling to avoid similar issues. 8) Employ kernel hardening techniques and runtime protections such as Kernel Address Space Layout Randomization (KASLR) and Kernel Page Table Isolation (KPTI) to mitigate exploitation impact.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.206Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9829c4522896dcbe305b
Added to database: 5/21/2025, 9:08:57 AM
Last enriched: 6/29/2025, 2:11:01 PM
Last updated: 7/29/2025, 10:33:15 PM
Views: 14
Related Threats
CVE-2025-8840: Improper Authorization in jshERP
MediumCVE-2025-8853: CWE-290 Authentication Bypass by Spoofing in 2100 Technology Official Document Management System
CriticalCVE-2025-8838: Improper Authentication in WinterChenS my-site
MediumCVE-2025-8837: Use After Free in JasPer
MediumCVE-2025-8661: Vulnerability in Broadcom Symantec PGP Encryption
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.