CVE-2024-36977 is a medium-severity vulnerability in the Linux kernel affecting the USB controller driver for DesignWare Core USB3 (dwc3). The issue arises from improper handling of the EndXfer command completion in certain revisions of the DWC3 USB controller (specifically revisions >= 3.10a). Normally, for controller IP/revisions except DWC3_usb3 >= 310a, the driver waits unconditionally for 1 millisecond after issuing the EndXfer command to ensure completion. However, for revisions >= 3.10a, the hardware supports a polling mechanism via the GUCTL2 register bit to detect EndXfer completion, so the driver skips the unconditional wait. The vulnerability manifests when an IN USB transfer request is queued and concurrently a soft_disconnect event occurs (triggered by ffs_epfile_release). This leads to the stop_active_transfer function being called with the Interrupt On Completion (IOC) flag cleared. Consequently, the send_gadget_ep_cmd() function skips waiting for the CMDACT bit to clear, which signals EndXfer completion. Because the driver does not wait for EndXfer completion and proceeds to unmap the USB requests prematurely, the USB controller may still access these requests, causing System Memory Management Unit (SMMU) faults. These faults can lead to system instability or crashes, impacting availability. The fix implemented enforces a 1 millisecond delay unconditionally in the __dwc3_stop_active_transfer() function to guarantee EndXfer completion before unmapping requests, preventing the SMMU faults. This vulnerability does not affect confidentiality or integrity directly but can cause denial of service through kernel crashes or instability. Exploitation requires local access with low privileges and no user interaction, but the attack complexity is high due to the need to trigger specific USB transfer and disconnect sequences. The CVSS v3.1 score is 4.7 (medium), reflecting the limited impact scope and exploitation complexity. No known exploits are reported in the wild as of the publication date.

For European organizations, this vulnerability primarily threatens system availability on Linux systems using affected DWC3 USB controller revisions. Systems relying on USB devices connected via these controllers may experience kernel crashes or instability, potentially disrupting critical operations, especially in environments with embedded Linux devices, industrial control systems, or servers using affected hardware. While the impact is not on confidentiality or integrity, denial of service conditions can lead to operational downtime and increased maintenance costs. Organizations with USB-dependent infrastructure, such as manufacturing, telecommunications, or research institutions, may be particularly affected if they use affected Linux kernel versions and hardware. The vulnerability requires local access, so remote exploitation is unlikely, but insider threats or compromised local users could trigger the fault.

1. Apply the official Linux kernel patch that adds the unconditional 1ms delay in __dwc3_stop_active_transfer() to ensure EndXfer completion. 2. Upgrade Linux kernel versions to those including this fix as soon as they become available from trusted distributions. 3. Identify and inventory systems using affected DWC3 USB controller revisions (>= 3.10a) and verify kernel versions. 4. For critical systems where patching is delayed, consider disabling or limiting USB device usage or implementing strict local access controls to reduce risk of exploitation. 5. Monitor kernel logs for SMMU faults or USB-related errors that could indicate attempted exploitation or instability. 6. Engage with hardware vendors to confirm controller revisions and firmware updates that might mitigate related issues. 7. Incorporate this vulnerability into vulnerability management and incident response plans to ensure timely detection and remediation.