CVE-2024-36894: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete FFS based applications can utilize the aio_cancel() callback to dequeue pending USB requests submitted to the UDC. There is a scenario where the FFS application issues an AIO cancel call, while the UDC is handling a soft disconnect. For a DWC3 based implementation, the callstack looks like the following: DWC3 Gadget FFS Application dwc3_gadget_soft_disconnect() ... --> dwc3_stop_active_transfers() --> dwc3_gadget_giveback(-ESHUTDOWN) --> ffs_epfile_async_io_complete() ffs_aio_cancel() --> usb_ep_free_request() --> usb_ep_dequeue() There is currently no locking implemented between the AIO completion handler and AIO cancel, so the issue occurs if the completion routine is running in parallel to an AIO cancel call coming from the FFS application. As the completion call frees the USB request (io_data->req) the FFS application is also referencing it for the usb_ep_dequeue() call. This can lead to accessing a stale/hanging pointer. commit b566d38857fc ("usb: gadget: f_fs: use io_data->status consistently") relocated the usb_ep_free_request() into ffs_epfile_async_io_complete(). However, in order to properly implement locking to mitigate this issue, the spinlock can't be added to ffs_epfile_async_io_complete(), as usb_ep_dequeue() (if successfully dequeuing a USB request) will call the function driver's completion handler in the same context. Hence, leading into a deadlock. Fix this issue by moving the usb_ep_free_request() back to ffs_user_copy_worker(), and ensuring that it explicitly sets io_data->req to NULL after freeing it within the ffs->eps_lock. This resolves the race condition above, as the ffs_aio_cancel() routine will not continue attempting to dequeue a request that has already been freed, or the ffs_user_copy_work() not freeing the USB request until the AIO cancel is done referencing it. This fix depends on commit b566d38857fc ("usb: gadget: f_fs: use io_data->status consistently")
AI Analysis
Technical Summary
CVE-2024-36894 is a medium severity vulnerability in the Linux kernel's USB gadget subsystem, specifically affecting the FunctionFS (FFS) implementation used in USB device emulation. The vulnerability arises from a race condition between asynchronous I/O (AIO) cancellation and completion handling within the USB gadget driver stack. In detail, when an FFS-based application issues an aio_cancel() call to dequeue pending USB requests submitted to the USB Device Controller (UDC), a race can occur if the UDC is simultaneously handling a soft disconnect event. The affected code path involves the DWC3 USB controller driver, where the soft disconnect triggers stopping active transfers and completing USB requests with an error status. The problem is that the completion handler frees the USB request structure (io_data->req) without proper synchronization against concurrent aio_cancel() calls that attempt to dequeue the same request. This leads to a use-after-free or stale pointer dereference scenario, which can cause kernel crashes or undefined behavior. The root cause is the lack of locking between the AIO completion handler and the AIO cancel routine. Attempts to add locking directly to the completion handler were avoided due to potential deadlocks, as the completion handler may invoke the function driver's completion callback in the same context. The fix implemented moves the usb_ep_free_request() call back to a worker context (ffs_user_copy_worker()) and ensures that the freed request pointer is set to NULL within a spinlock-protected section. This prevents the aio_cancel() routine from accessing freed memory and resolves the race condition. The vulnerability is tracked under CWE-362 (Race Condition) and has a CVSS v3.1 base score of 5.6, reflecting a medium severity with high impact on confidentiality and availability but requiring physical or local access (AV:P) and high attack complexity (AC:H). No known exploits are currently reported in the wild. The vulnerability affects Linux kernel versions containing the specified commit hashes prior to the fix and is relevant for systems using USB gadget FunctionFS with DWC3 controllers, commonly found in embedded devices and development boards running Linux.
Potential Impact
For European organizations, the impact of CVE-2024-36894 depends largely on their use of Linux-based embedded systems or devices that utilize the USB gadget FunctionFS framework, particularly those employing DWC3 USB controllers. Such devices are common in industrial control systems, IoT gateways, telecom equipment, and development platforms. Exploitation of this race condition can lead to kernel crashes (denial of service) or potentially enable local privilege escalation or information leakage through memory corruption, impacting system availability and confidentiality. Organizations relying on Linux-based embedded devices for critical infrastructure or operational technology may face service disruptions or require costly incident response and device replacement. However, the attack vector requires local or physical access to the device (attack vector: physical), and the attack complexity is high, limiting remote exploitation risks. The vulnerability does not require user interaction but does require at least low privileges on the device. Therefore, the threat is more significant in environments where untrusted users or processes have local access to vulnerable devices. European sectors such as manufacturing, energy, telecommunications, and research institutions using Linux embedded devices should assess their exposure. The absence of known exploits reduces immediate risk, but timely patching is recommended to prevent future exploitation.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2024-36894 as soon as they become available from trusted Linux distribution vendors or upstream kernel sources. 2. For embedded devices or custom Linux builds, rebuild and deploy updated kernel images incorporating the fix. 3. Restrict local access to devices running vulnerable Linux kernels, especially limiting unprivileged user access to USB gadget interfaces. 4. Implement strict access controls and monitoring on devices that expose USB gadget FunctionFS interfaces to detect abnormal AIO cancellation or USB disconnect events. 5. Where possible, disable unused USB gadget functions or interfaces to reduce the attack surface. 6. Employ kernel lockdown features or mandatory access controls (e.g., SELinux, AppArmor) to limit the ability of local users to perform operations that could trigger this race condition. 7. Conduct thorough testing of USB gadget functionality after patching to ensure stability and no regressions. 8. Maintain an inventory of devices using DWC3 USB controllers and FunctionFS to prioritize patching and risk assessment. 9. Educate system administrators and embedded device maintainers about the vulnerability and the importance of applying updates promptly.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2024-36894: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete FFS based applications can utilize the aio_cancel() callback to dequeue pending USB requests submitted to the UDC. There is a scenario where the FFS application issues an AIO cancel call, while the UDC is handling a soft disconnect. For a DWC3 based implementation, the callstack looks like the following: DWC3 Gadget FFS Application dwc3_gadget_soft_disconnect() ... --> dwc3_stop_active_transfers() --> dwc3_gadget_giveback(-ESHUTDOWN) --> ffs_epfile_async_io_complete() ffs_aio_cancel() --> usb_ep_free_request() --> usb_ep_dequeue() There is currently no locking implemented between the AIO completion handler and AIO cancel, so the issue occurs if the completion routine is running in parallel to an AIO cancel call coming from the FFS application. As the completion call frees the USB request (io_data->req) the FFS application is also referencing it for the usb_ep_dequeue() call. This can lead to accessing a stale/hanging pointer. commit b566d38857fc ("usb: gadget: f_fs: use io_data->status consistently") relocated the usb_ep_free_request() into ffs_epfile_async_io_complete(). However, in order to properly implement locking to mitigate this issue, the spinlock can't be added to ffs_epfile_async_io_complete(), as usb_ep_dequeue() (if successfully dequeuing a USB request) will call the function driver's completion handler in the same context. Hence, leading into a deadlock. Fix this issue by moving the usb_ep_free_request() back to ffs_user_copy_worker(), and ensuring that it explicitly sets io_data->req to NULL after freeing it within the ffs->eps_lock. This resolves the race condition above, as the ffs_aio_cancel() routine will not continue attempting to dequeue a request that has already been freed, or the ffs_user_copy_work() not freeing the USB request until the AIO cancel is done referencing it. This fix depends on commit b566d38857fc ("usb: gadget: f_fs: use io_data->status consistently")
AI-Powered Analysis
Technical Analysis
CVE-2024-36894 is a medium severity vulnerability in the Linux kernel's USB gadget subsystem, specifically affecting the FunctionFS (FFS) implementation used in USB device emulation. The vulnerability arises from a race condition between asynchronous I/O (AIO) cancellation and completion handling within the USB gadget driver stack. In detail, when an FFS-based application issues an aio_cancel() call to dequeue pending USB requests submitted to the USB Device Controller (UDC), a race can occur if the UDC is simultaneously handling a soft disconnect event. The affected code path involves the DWC3 USB controller driver, where the soft disconnect triggers stopping active transfers and completing USB requests with an error status. The problem is that the completion handler frees the USB request structure (io_data->req) without proper synchronization against concurrent aio_cancel() calls that attempt to dequeue the same request. This leads to a use-after-free or stale pointer dereference scenario, which can cause kernel crashes or undefined behavior. The root cause is the lack of locking between the AIO completion handler and the AIO cancel routine. Attempts to add locking directly to the completion handler were avoided due to potential deadlocks, as the completion handler may invoke the function driver's completion callback in the same context. The fix implemented moves the usb_ep_free_request() call back to a worker context (ffs_user_copy_worker()) and ensures that the freed request pointer is set to NULL within a spinlock-protected section. This prevents the aio_cancel() routine from accessing freed memory and resolves the race condition. The vulnerability is tracked under CWE-362 (Race Condition) and has a CVSS v3.1 base score of 5.6, reflecting a medium severity with high impact on confidentiality and availability but requiring physical or local access (AV:P) and high attack complexity (AC:H). No known exploits are currently reported in the wild. The vulnerability affects Linux kernel versions containing the specified commit hashes prior to the fix and is relevant for systems using USB gadget FunctionFS with DWC3 controllers, commonly found in embedded devices and development boards running Linux.
Potential Impact
For European organizations, the impact of CVE-2024-36894 depends largely on their use of Linux-based embedded systems or devices that utilize the USB gadget FunctionFS framework, particularly those employing DWC3 USB controllers. Such devices are common in industrial control systems, IoT gateways, telecom equipment, and development platforms. Exploitation of this race condition can lead to kernel crashes (denial of service) or potentially enable local privilege escalation or information leakage through memory corruption, impacting system availability and confidentiality. Organizations relying on Linux-based embedded devices for critical infrastructure or operational technology may face service disruptions or require costly incident response and device replacement. However, the attack vector requires local or physical access to the device (attack vector: physical), and the attack complexity is high, limiting remote exploitation risks. The vulnerability does not require user interaction but does require at least low privileges on the device. Therefore, the threat is more significant in environments where untrusted users or processes have local access to vulnerable devices. European sectors such as manufacturing, energy, telecommunications, and research institutions using Linux embedded devices should assess their exposure. The absence of known exploits reduces immediate risk, but timely patching is recommended to prevent future exploitation.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2024-36894 as soon as they become available from trusted Linux distribution vendors or upstream kernel sources. 2. For embedded devices or custom Linux builds, rebuild and deploy updated kernel images incorporating the fix. 3. Restrict local access to devices running vulnerable Linux kernels, especially limiting unprivileged user access to USB gadget interfaces. 4. Implement strict access controls and monitoring on devices that expose USB gadget FunctionFS interfaces to detect abnormal AIO cancellation or USB disconnect events. 5. Where possible, disable unused USB gadget functions or interfaces to reduce the attack surface. 6. Employ kernel lockdown features or mandatory access controls (e.g., SELinux, AppArmor) to limit the ability of local users to perform operations that could trigger this race condition. 7. Conduct thorough testing of USB gadget functionality after patching to ensure stability and no regressions. 8. Maintain an inventory of devices using DWC3 USB controllers and FunctionFS to prioritize patching and risk assessment. 9. Educate system administrators and embedded device maintainers about the vulnerability and the importance of applying updates promptly.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-30T15:25:07.066Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9828c4522896dcbe25d0
Added to database: 5/21/2025, 9:08:56 AM
Last enriched: 6/29/2025, 9:56:00 AM
Last updated: 8/11/2025, 11:03:41 AM
Views: 11
Related Threats
CVE-2025-43733: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Liferay Portal
LowCVE-2025-43731: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Liferay Portal
MediumCVE-2025-7693: CWE-20: Improper Input Validation in Rockwell Automation PLC - Micro850 L50E
CriticalCVE-2025-55293: CWE-287: Improper Authentication in meshtastic firmware
CriticalCVE-2025-55300: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in komari-monitor komari
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.