CVE-2024-27405: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: ncm: Avoid dropping datagrams of properly parsed NTBs It is observed sometimes when tethering is used over NCM with Windows 11 as host, at some instances, the gadget_giveback has one byte appended at the end of a proper NTB. When the NTB is parsed, unwrap call looks for any leftover bytes in SKB provided by u_ether and if there are any pending bytes, it treats them as a separate NTB and parses it. But in case the second NTB (as per unwrap call) is faulty/corrupt, all the datagrams that were parsed properly in the first NTB and saved in rx_list are dropped. Adding a few custom traces showed the following: [002] d..1 7828.532866: dwc3_gadget_giveback: ep1out: req 000000003868811a length 1025/16384 zsI ==> 0 [002] d..1 7828.532867: ncm_unwrap_ntb: K: ncm_unwrap_ntb toprocess: 1025 [002] d..1 7828.532867: ncm_unwrap_ntb: K: ncm_unwrap_ntb nth: 1751999342 [002] d..1 7828.532868: ncm_unwrap_ntb: K: ncm_unwrap_ntb seq: 0xce67 [002] d..1 7828.532868: ncm_unwrap_ntb: K: ncm_unwrap_ntb blk_len: 0x400 [002] d..1 7828.532868: ncm_unwrap_ntb: K: ncm_unwrap_ntb ndp_len: 0x10 [002] d..1 7828.532869: ncm_unwrap_ntb: K: Parsed NTB with 1 frames In this case, the giveback is of 1025 bytes and block length is 1024. The rest 1 byte (which is 0x00) won't be parsed resulting in drop of all datagrams in rx_list. Same is case with packets of size 2048: [002] d..1 7828.557948: dwc3_gadget_giveback: ep1out: req 0000000011dfd96e length 2049/16384 zsI ==> 0 [002] d..1 7828.557949: ncm_unwrap_ntb: K: ncm_unwrap_ntb nth: 1751999342 [002] d..1 7828.557950: ncm_unwrap_ntb: K: ncm_unwrap_ntb blk_len: 0x800 Lecroy shows one byte coming in extra confirming that the byte is coming in from PC: Transfer 2959 - Bytes Transferred(1025) Timestamp((18.524 843 590) - Transaction 8391 - Data(1025 bytes) Timestamp(18.524 843 590) --- Packet 4063861 Data(1024 bytes) Duration(2.117us) Idle(14.700ns) Timestamp(18.524 843 590) --- Packet 4063863 Data(1 byte) Duration(66.160ns) Time(282.000ns) Timestamp(18.524 845 722) According to Windows driver, no ZLP is needed if wBlockLength is non-zero, because the non-zero wBlockLength has already told the function side the size of transfer to be expected. However, there are in-market NCM devices that rely on ZLP as long as the wBlockLength is multiple of wMaxPacketSize. To deal with such devices, it pads an extra 0 at end so the transfer is no longer multiple of wMaxPacketSize.
AI Analysis
Technical Summary
CVE-2024-27405 is a high-severity vulnerability in the Linux kernel's USB gadget subsystem, specifically affecting the Network Control Model (NCM) implementation used for USB tethering scenarios. The vulnerability arises due to improper handling of Network Transfer Blocks (NTBs) when tethering with Windows 11 hosts. In certain cases, the Linux kernel's gadget driver receives NTBs with an extra byte appended, which leads to the parsing logic incorrectly interpreting leftover bytes as a separate NTB. If this second NTB is malformed or corrupt, the driver discards all previously parsed datagrams stored in the receive list (rx_list), resulting in dropped network packets. This behavior stems from a mismatch in expectations between Windows drivers and Linux gadget drivers regarding Zero Length Packets (ZLP) and block length handling. Windows drivers omit ZLPs when wBlockLength is non-zero, while some NCM devices expect ZLP padding if wBlockLength is a multiple of wMaxPacketSize. To accommodate these devices, Windows pads an extra zero byte, which triggers the Linux kernel's parsing issue. The consequence is a denial of service (DoS) condition where valid network data is lost during tethering, impacting connectivity and availability. The vulnerability does not affect confidentiality or integrity but severely impacts availability of network communication over USB tethering. Exploitation requires no privileges or user interaction and can be triggered remotely by connecting a Windows 11 host to a vulnerable Linux gadget device. The CVSS 3.1 base score is 7.5 (High), reflecting network attack vector, low complexity, no privileges required, no user interaction, and impact limited to availability. No known exploits are reported in the wild yet. The root cause relates to improper null pointer dereference handling (CWE-476) in the USB gadget NCM code path. The issue has been resolved in recent Linux kernel updates by improving NTB parsing robustness and avoiding dropping properly parsed datagrams when leftover bytes are detected.
Potential Impact
For European organizations, this vulnerability primarily impacts devices running Linux kernels with USB gadget NCM support used in tethering scenarios, such as embedded systems, IoT devices, or network appliances that rely on USB tethering with Windows 11 hosts. The main impact is denial of service due to dropped network packets, which can disrupt critical communications, remote management, or data transfer operations. This can affect sectors relying on stable network connectivity including telecommunications, manufacturing, healthcare, and public services. While the vulnerability does not expose data to unauthorized access or modification, the availability degradation can cause operational interruptions and potential financial losses. Organizations using Linux-based network gateways or USB tethering as fallback connectivity in remote or mobile deployments may experience intermittent connectivity failures. The lack of required privileges or user interaction for exploitation increases the risk in environments where Windows 11 hosts connect to Linux gadgets. However, the impact is limited to network availability and does not extend to system compromise or data breaches.
Mitigation Recommendations
1. Update Linux kernels to the latest stable versions where the patch for CVE-2024-27405 is applied, ensuring the USB gadget NCM code correctly handles leftover bytes without dropping valid datagrams. 2. For embedded or IoT devices with limited update capabilities, consider disabling USB gadget NCM functionality if tethering is not required or use alternative tethering methods. 3. Implement network monitoring to detect unusual packet loss or tethering failures that may indicate attempts to exploit this vulnerability. 4. Educate IT and security teams about the issue to avoid using Windows 11 hosts for tethering with vulnerable Linux devices until patches are applied. 5. For critical deployments, test tethering scenarios with patched kernels in controlled environments before production rollout. 6. Collaborate with device vendors to ensure timely firmware and kernel updates addressing this vulnerability. 7. Employ endpoint security controls on Windows 11 hosts to restrict unauthorized USB connections to Linux gadgets where feasible.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden
CVE-2024-27405: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: ncm: Avoid dropping datagrams of properly parsed NTBs It is observed sometimes when tethering is used over NCM with Windows 11 as host, at some instances, the gadget_giveback has one byte appended at the end of a proper NTB. When the NTB is parsed, unwrap call looks for any leftover bytes in SKB provided by u_ether and if there are any pending bytes, it treats them as a separate NTB and parses it. But in case the second NTB (as per unwrap call) is faulty/corrupt, all the datagrams that were parsed properly in the first NTB and saved in rx_list are dropped. Adding a few custom traces showed the following: [002] d..1 7828.532866: dwc3_gadget_giveback: ep1out: req 000000003868811a length 1025/16384 zsI ==> 0 [002] d..1 7828.532867: ncm_unwrap_ntb: K: ncm_unwrap_ntb toprocess: 1025 [002] d..1 7828.532867: ncm_unwrap_ntb: K: ncm_unwrap_ntb nth: 1751999342 [002] d..1 7828.532868: ncm_unwrap_ntb: K: ncm_unwrap_ntb seq: 0xce67 [002] d..1 7828.532868: ncm_unwrap_ntb: K: ncm_unwrap_ntb blk_len: 0x400 [002] d..1 7828.532868: ncm_unwrap_ntb: K: ncm_unwrap_ntb ndp_len: 0x10 [002] d..1 7828.532869: ncm_unwrap_ntb: K: Parsed NTB with 1 frames In this case, the giveback is of 1025 bytes and block length is 1024. The rest 1 byte (which is 0x00) won't be parsed resulting in drop of all datagrams in rx_list. Same is case with packets of size 2048: [002] d..1 7828.557948: dwc3_gadget_giveback: ep1out: req 0000000011dfd96e length 2049/16384 zsI ==> 0 [002] d..1 7828.557949: ncm_unwrap_ntb: K: ncm_unwrap_ntb nth: 1751999342 [002] d..1 7828.557950: ncm_unwrap_ntb: K: ncm_unwrap_ntb blk_len: 0x800 Lecroy shows one byte coming in extra confirming that the byte is coming in from PC: Transfer 2959 - Bytes Transferred(1025) Timestamp((18.524 843 590) - Transaction 8391 - Data(1025 bytes) Timestamp(18.524 843 590) --- Packet 4063861 Data(1024 bytes) Duration(2.117us) Idle(14.700ns) Timestamp(18.524 843 590) --- Packet 4063863 Data(1 byte) Duration(66.160ns) Time(282.000ns) Timestamp(18.524 845 722) According to Windows driver, no ZLP is needed if wBlockLength is non-zero, because the non-zero wBlockLength has already told the function side the size of transfer to be expected. However, there are in-market NCM devices that rely on ZLP as long as the wBlockLength is multiple of wMaxPacketSize. To deal with such devices, it pads an extra 0 at end so the transfer is no longer multiple of wMaxPacketSize.
AI-Powered Analysis
Technical Analysis
CVE-2024-27405 is a high-severity vulnerability in the Linux kernel's USB gadget subsystem, specifically affecting the Network Control Model (NCM) implementation used for USB tethering scenarios. The vulnerability arises due to improper handling of Network Transfer Blocks (NTBs) when tethering with Windows 11 hosts. In certain cases, the Linux kernel's gadget driver receives NTBs with an extra byte appended, which leads to the parsing logic incorrectly interpreting leftover bytes as a separate NTB. If this second NTB is malformed or corrupt, the driver discards all previously parsed datagrams stored in the receive list (rx_list), resulting in dropped network packets. This behavior stems from a mismatch in expectations between Windows drivers and Linux gadget drivers regarding Zero Length Packets (ZLP) and block length handling. Windows drivers omit ZLPs when wBlockLength is non-zero, while some NCM devices expect ZLP padding if wBlockLength is a multiple of wMaxPacketSize. To accommodate these devices, Windows pads an extra zero byte, which triggers the Linux kernel's parsing issue. The consequence is a denial of service (DoS) condition where valid network data is lost during tethering, impacting connectivity and availability. The vulnerability does not affect confidentiality or integrity but severely impacts availability of network communication over USB tethering. Exploitation requires no privileges or user interaction and can be triggered remotely by connecting a Windows 11 host to a vulnerable Linux gadget device. The CVSS 3.1 base score is 7.5 (High), reflecting network attack vector, low complexity, no privileges required, no user interaction, and impact limited to availability. No known exploits are reported in the wild yet. The root cause relates to improper null pointer dereference handling (CWE-476) in the USB gadget NCM code path. The issue has been resolved in recent Linux kernel updates by improving NTB parsing robustness and avoiding dropping properly parsed datagrams when leftover bytes are detected.
Potential Impact
For European organizations, this vulnerability primarily impacts devices running Linux kernels with USB gadget NCM support used in tethering scenarios, such as embedded systems, IoT devices, or network appliances that rely on USB tethering with Windows 11 hosts. The main impact is denial of service due to dropped network packets, which can disrupt critical communications, remote management, or data transfer operations. This can affect sectors relying on stable network connectivity including telecommunications, manufacturing, healthcare, and public services. While the vulnerability does not expose data to unauthorized access or modification, the availability degradation can cause operational interruptions and potential financial losses. Organizations using Linux-based network gateways or USB tethering as fallback connectivity in remote or mobile deployments may experience intermittent connectivity failures. The lack of required privileges or user interaction for exploitation increases the risk in environments where Windows 11 hosts connect to Linux gadgets. However, the impact is limited to network availability and does not extend to system compromise or data breaches.
Mitigation Recommendations
1. Update Linux kernels to the latest stable versions where the patch for CVE-2024-27405 is applied, ensuring the USB gadget NCM code correctly handles leftover bytes without dropping valid datagrams. 2. For embedded or IoT devices with limited update capabilities, consider disabling USB gadget NCM functionality if tethering is not required or use alternative tethering methods. 3. Implement network monitoring to detect unusual packet loss or tethering failures that may indicate attempts to exploit this vulnerability. 4. Educate IT and security teams about the issue to avoid using Windows 11 hosts for tethering with vulnerable Linux devices until patches are applied. 5. For critical deployments, test tethering scenarios with patched kernels in controlled environments before production rollout. 6. Collaborate with device vendors to ensure timely firmware and kernel updates addressing this vulnerability. 7. Employ endpoint security controls on Windows 11 hosts to restrict unauthorized USB connections to Linux gadgets where feasible.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-25T13:47:42.681Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d982ac4522896dcbe338b
Added to database: 5/21/2025, 9:08:58 AM
Last enriched: 7/3/2025, 1:26:17 AM
Last updated: 8/12/2025, 7:58:50 AM
Views: 15
Related Threats
CVE-2025-40770: CWE-300: Channel Accessible by Non-Endpoint in Siemens SINEC Traffic Analyzer
HighCVE-2025-40769: CWE-1164: Irrelevant Code in Siemens SINEC Traffic Analyzer
HighCVE-2025-40768: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in Siemens SINEC Traffic Analyzer
HighCVE-2025-40767: CWE-250: Execution with Unnecessary Privileges in Siemens SINEC Traffic Analyzer
HighCVE-2025-40766: CWE-400: Uncontrolled Resource Consumption in Siemens SINEC Traffic Analyzer
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.