CVE-2024-38567: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: wifi: carl9170: add a proper sanity check for endpoints Syzkaller reports [1] hitting a warning which is caused by presence of a wrong endpoint type at the URB sumbitting stage. While there was a check for a specific 4th endpoint, since it can switch types between bulk and interrupt, other endpoints are trusted implicitly. Similar warning is triggered in a couple of other syzbot issues [2]. Fix the issue by doing a comprehensive check of all endpoints taking into account difference between high- and full-speed configuration. [1] Syzkaller report: ... WARNING: CPU: 0 PID: 4721 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504 ... Call Trace: <TASK> carl9170_usb_send_rx_irq_urb+0x273/0x340 drivers/net/wireless/ath/carl9170/usb.c:504 carl9170_usb_init_device drivers/net/wireless/ath/carl9170/usb.c:939 [inline] carl9170_usb_firmware_finish drivers/net/wireless/ath/carl9170/usb.c:999 [inline] carl9170_usb_firmware_step2+0x175/0x240 drivers/net/wireless/ath/carl9170/usb.c:1028 request_firmware_work_func+0x130/0x240 drivers/base/firmware_loader/main.c:1107 process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289 worker_thread+0x669/0x1090 kernel/workqueue.c:2436 kthread+0x2e8/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 </TASK> [2] Related syzkaller crashes:
AI Analysis
Technical Summary
CVE-2024-38567 is a vulnerability identified in the Linux kernel specifically affecting the carl9170 wireless driver, which handles certain Atheros USB wireless devices. The issue arises from insufficient validation of USB endpoint types during the submission of USB Request Blocks (URBs). The vulnerability was discovered through fuzzing with Syzkaller, which triggered warnings related to incorrect endpoint types being used at the URB submission stage. The root cause is that while the driver performs a sanity check on a specific fourth endpoint—since it can switch between bulk and interrupt types—other endpoints are implicitly trusted without comprehensive validation. This can lead to the submission of URBs with invalid or unexpected endpoint types, potentially causing kernel warnings, instability, or crashes. The fix implemented involves a thorough validation of all USB endpoints, taking into account differences between high-speed and full-speed USB configurations, thereby preventing the submission of malformed URBs. The vulnerability affects multiple versions of the Linux kernel containing the vulnerable carl9170 driver code prior to the patch. There are no known exploits in the wild at the time of publication, and no CVSS score has been assigned yet. The vulnerability primarily impacts systems using the affected wireless driver, which is part of the Linux kernel's USB wireless networking stack.
Potential Impact
For European organizations, the impact of CVE-2024-38567 depends largely on the deployment of Linux systems utilizing the carl9170 wireless driver. This driver supports certain legacy Atheros USB wireless chipsets, which may still be in use in industrial, embedded, or specialized networking equipment. Exploitation could lead to kernel crashes or denial of service conditions, potentially disrupting network connectivity and impacting availability of critical systems. While there is no evidence of privilege escalation or remote code execution, the instability caused by malformed URBs could be leveraged in targeted attacks to degrade system reliability or cause service interruptions. Organizations relying on Linux-based wireless infrastructure, particularly those with legacy hardware, may face operational risks. Additionally, environments with strict uptime requirements or critical network services could experience significant disruption. However, the lack of known exploits and the requirement for local access or crafted USB traffic limits the immediate threat level. Nonetheless, the vulnerability highlights the importance of maintaining updated kernel versions to ensure wireless driver robustness and system stability.
Mitigation Recommendations
To mitigate CVE-2024-38567, European organizations should: 1) Apply the latest Linux kernel updates that include the patch for this vulnerability as soon as they become available, ensuring the carl9170 driver performs comprehensive endpoint validation. 2) Audit and inventory hardware to identify devices using the affected Atheros USB wireless chipsets and consider replacing legacy hardware where feasible. 3) Restrict physical access to systems to prevent attackers from connecting malicious USB devices that could exploit this vulnerability. 4) Implement USB device whitelisting or disable unused USB ports on critical systems to reduce the attack surface. 5) Monitor system logs for kernel warnings or crashes related to USB URB submissions, which may indicate attempted exploitation or instability. 6) For embedded or industrial Linux deployments, coordinate with vendors to obtain patched firmware or kernel versions. These steps go beyond generic advice by focusing on hardware inventory, physical security, and proactive monitoring tailored to the nature of this USB driver vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Finland, Belgium
CVE-2024-38567: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: wifi: carl9170: add a proper sanity check for endpoints Syzkaller reports [1] hitting a warning which is caused by presence of a wrong endpoint type at the URB sumbitting stage. While there was a check for a specific 4th endpoint, since it can switch types between bulk and interrupt, other endpoints are trusted implicitly. Similar warning is triggered in a couple of other syzbot issues [2]. Fix the issue by doing a comprehensive check of all endpoints taking into account difference between high- and full-speed configuration. [1] Syzkaller report: ... WARNING: CPU: 0 PID: 4721 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504 ... Call Trace: <TASK> carl9170_usb_send_rx_irq_urb+0x273/0x340 drivers/net/wireless/ath/carl9170/usb.c:504 carl9170_usb_init_device drivers/net/wireless/ath/carl9170/usb.c:939 [inline] carl9170_usb_firmware_finish drivers/net/wireless/ath/carl9170/usb.c:999 [inline] carl9170_usb_firmware_step2+0x175/0x240 drivers/net/wireless/ath/carl9170/usb.c:1028 request_firmware_work_func+0x130/0x240 drivers/base/firmware_loader/main.c:1107 process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289 worker_thread+0x669/0x1090 kernel/workqueue.c:2436 kthread+0x2e8/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 </TASK> [2] Related syzkaller crashes:
AI-Powered Analysis
Technical Analysis
CVE-2024-38567 is a vulnerability identified in the Linux kernel specifically affecting the carl9170 wireless driver, which handles certain Atheros USB wireless devices. The issue arises from insufficient validation of USB endpoint types during the submission of USB Request Blocks (URBs). The vulnerability was discovered through fuzzing with Syzkaller, which triggered warnings related to incorrect endpoint types being used at the URB submission stage. The root cause is that while the driver performs a sanity check on a specific fourth endpoint—since it can switch between bulk and interrupt types—other endpoints are implicitly trusted without comprehensive validation. This can lead to the submission of URBs with invalid or unexpected endpoint types, potentially causing kernel warnings, instability, or crashes. The fix implemented involves a thorough validation of all USB endpoints, taking into account differences between high-speed and full-speed USB configurations, thereby preventing the submission of malformed URBs. The vulnerability affects multiple versions of the Linux kernel containing the vulnerable carl9170 driver code prior to the patch. There are no known exploits in the wild at the time of publication, and no CVSS score has been assigned yet. The vulnerability primarily impacts systems using the affected wireless driver, which is part of the Linux kernel's USB wireless networking stack.
Potential Impact
For European organizations, the impact of CVE-2024-38567 depends largely on the deployment of Linux systems utilizing the carl9170 wireless driver. This driver supports certain legacy Atheros USB wireless chipsets, which may still be in use in industrial, embedded, or specialized networking equipment. Exploitation could lead to kernel crashes or denial of service conditions, potentially disrupting network connectivity and impacting availability of critical systems. While there is no evidence of privilege escalation or remote code execution, the instability caused by malformed URBs could be leveraged in targeted attacks to degrade system reliability or cause service interruptions. Organizations relying on Linux-based wireless infrastructure, particularly those with legacy hardware, may face operational risks. Additionally, environments with strict uptime requirements or critical network services could experience significant disruption. However, the lack of known exploits and the requirement for local access or crafted USB traffic limits the immediate threat level. Nonetheless, the vulnerability highlights the importance of maintaining updated kernel versions to ensure wireless driver robustness and system stability.
Mitigation Recommendations
To mitigate CVE-2024-38567, European organizations should: 1) Apply the latest Linux kernel updates that include the patch for this vulnerability as soon as they become available, ensuring the carl9170 driver performs comprehensive endpoint validation. 2) Audit and inventory hardware to identify devices using the affected Atheros USB wireless chipsets and consider replacing legacy hardware where feasible. 3) Restrict physical access to systems to prevent attackers from connecting malicious USB devices that could exploit this vulnerability. 4) Implement USB device whitelisting or disable unused USB ports on critical systems to reduce the attack surface. 5) Monitor system logs for kernel warnings or crashes related to USB URB submissions, which may indicate attempted exploitation or instability. 6) For embedded or industrial Linux deployments, coordinate with vendors to obtain patched firmware or kernel versions. These steps go beyond generic advice by focusing on hardware inventory, physical security, and proactive monitoring tailored to the nature of this USB driver vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-06-18T19:36:34.923Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9829c4522896dcbe29cf
Added to database: 5/21/2025, 9:08:57 AM
Last enriched: 6/29/2025, 11:25:59 AM
Last updated: 8/7/2025, 9:25:52 PM
Views: 12
Related Threats
CVE-2025-9047: SQL Injection in projectworlds Visitor Management System
MediumCVE-2025-9046: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9028: SQL Injection in code-projects Online Medicine Guide
MediumCVE-2025-26709: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in ZTE F50
MediumCVE-2025-9027: SQL Injection in code-projects Online Medicine Guide
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.