CVE-2024-41035: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: USB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor Syzbot has identified a bug in usbcore (see the Closes: tag below) caused by our assumption that the reserved bits in an endpoint descriptor's bEndpointAddress field will always be 0. As a result of the bug, the endpoint_is_duplicate() routine in config.c (and possibly other routines as well) may believe that two descriptors are for distinct endpoints, even though they have the same direction and endpoint number. This can lead to confusion, including the bug identified by syzbot (two descriptors with matching endpoint numbers and directions, where one was interrupt and the other was bulk). To fix the bug, we will clear the reserved bits in bEndpointAddress when we parse the descriptor. (Note that both the USB-2.0 and USB-3.1 specs say these bits are "Reserved, reset to zero".) This requires us to make a copy of the descriptor earlier in usb_parse_endpoint() and use the copy instead of the original when checking for duplicates.
AI Analysis
Technical Summary
CVE-2024-41035 is a vulnerability identified in the Linux kernel's USB core subsystem, specifically related to the handling of USB endpoint descriptors. The issue arises from an incorrect assumption in the usbcore code that the reserved bits in the bEndpointAddress field of a USB endpoint descriptor are always zero. According to the USB 2.0 and USB 3.1 specifications, these reserved bits should indeed be reset to zero. However, the Linux kernel's usbcore did not clear these bits before processing, which led to the endpoint_is_duplicate() routine potentially misidentifying two endpoints as distinct when they actually share the same endpoint number and direction. This can cause confusion in the USB core's internal representation of endpoints, for example, treating two descriptors with the same endpoint number and direction but different transfer types (interrupt vs bulk) as separate endpoints. The root cause is that the reserved bits were not cleared, allowing spurious differences to appear in endpoint descriptors. The fix involves clearing these reserved bits early in the usb_parse_endpoint() function by making a copy of the descriptor and using this sanitized copy for duplicate endpoint checks. This correction ensures that the USB core correctly identifies duplicate endpoints and prevents inconsistent endpoint handling. While no known exploits are currently reported in the wild, the vulnerability could potentially lead to USB device misbehavior, driver confusion, or denial of service scenarios if malicious or malformed USB descriptors are presented to the system. The affected versions include multiple Linux kernel commits prior to the patch date, indicating a broad impact across many Linux kernel versions used in various distributions and devices.
Potential Impact
For European organizations, the impact of CVE-2024-41035 primarily concerns systems running Linux kernels with the vulnerable usbcore implementation. Since Linux is widely used in enterprise servers, cloud infrastructure, embedded systems, and IoT devices across Europe, this vulnerability could affect a broad range of critical infrastructure and business environments. Potential impacts include system instability or denial of service caused by malformed USB devices exploiting the descriptor parsing flaw. This could disrupt operations, especially in environments relying on USB peripherals for input devices, storage, or specialized hardware. While the vulnerability does not directly enable code execution or privilege escalation, the confusion in USB endpoint handling could be leveraged by attackers to cause device malfunctions or interfere with USB communications, potentially impacting data availability and operational continuity. Organizations in sectors with high reliance on Linux-based systems, such as telecommunications, manufacturing, finance, and government, may face increased risk. Additionally, embedded Linux devices used in industrial control systems or critical infrastructure could be affected, raising concerns about operational reliability and security. The absence of known exploits reduces immediate risk, but the vulnerability's nature warrants prompt attention to prevent future exploitation attempts.
Mitigation Recommendations
To mitigate CVE-2024-41035 effectively, European organizations should: 1) Prioritize updating Linux kernels to versions that include the patch clearing reserved bits in USB endpoint descriptors. This is the definitive fix and should be applied as soon as possible. 2) For environments where immediate kernel updates are not feasible, implement strict USB device usage policies, including disabling USB ports where possible or restricting USB device types to trusted hardware only. 3) Employ USB device monitoring and anomaly detection tools to identify unusual USB descriptor behavior or device enumeration issues that could indicate exploitation attempts. 4) In embedded or specialized Linux devices, coordinate with vendors to obtain patched firmware or kernel updates. 5) Conduct thorough testing of USB device interactions post-patch to ensure no regressions or compatibility issues arise. 6) Maintain robust incident response plans that include USB-related attack vectors, ensuring rapid containment if exploitation is suspected. These steps go beyond generic advice by focusing on practical controls tailored to the vulnerability's USB descriptor parsing context and the operational realities of Linux deployments in Europe.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Finland, Belgium
CVE-2024-41035: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: USB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor Syzbot has identified a bug in usbcore (see the Closes: tag below) caused by our assumption that the reserved bits in an endpoint descriptor's bEndpointAddress field will always be 0. As a result of the bug, the endpoint_is_duplicate() routine in config.c (and possibly other routines as well) may believe that two descriptors are for distinct endpoints, even though they have the same direction and endpoint number. This can lead to confusion, including the bug identified by syzbot (two descriptors with matching endpoint numbers and directions, where one was interrupt and the other was bulk). To fix the bug, we will clear the reserved bits in bEndpointAddress when we parse the descriptor. (Note that both the USB-2.0 and USB-3.1 specs say these bits are "Reserved, reset to zero".) This requires us to make a copy of the descriptor earlier in usb_parse_endpoint() and use the copy instead of the original when checking for duplicates.
AI-Powered Analysis
Technical Analysis
CVE-2024-41035 is a vulnerability identified in the Linux kernel's USB core subsystem, specifically related to the handling of USB endpoint descriptors. The issue arises from an incorrect assumption in the usbcore code that the reserved bits in the bEndpointAddress field of a USB endpoint descriptor are always zero. According to the USB 2.0 and USB 3.1 specifications, these reserved bits should indeed be reset to zero. However, the Linux kernel's usbcore did not clear these bits before processing, which led to the endpoint_is_duplicate() routine potentially misidentifying two endpoints as distinct when they actually share the same endpoint number and direction. This can cause confusion in the USB core's internal representation of endpoints, for example, treating two descriptors with the same endpoint number and direction but different transfer types (interrupt vs bulk) as separate endpoints. The root cause is that the reserved bits were not cleared, allowing spurious differences to appear in endpoint descriptors. The fix involves clearing these reserved bits early in the usb_parse_endpoint() function by making a copy of the descriptor and using this sanitized copy for duplicate endpoint checks. This correction ensures that the USB core correctly identifies duplicate endpoints and prevents inconsistent endpoint handling. While no known exploits are currently reported in the wild, the vulnerability could potentially lead to USB device misbehavior, driver confusion, or denial of service scenarios if malicious or malformed USB descriptors are presented to the system. The affected versions include multiple Linux kernel commits prior to the patch date, indicating a broad impact across many Linux kernel versions used in various distributions and devices.
Potential Impact
For European organizations, the impact of CVE-2024-41035 primarily concerns systems running Linux kernels with the vulnerable usbcore implementation. Since Linux is widely used in enterprise servers, cloud infrastructure, embedded systems, and IoT devices across Europe, this vulnerability could affect a broad range of critical infrastructure and business environments. Potential impacts include system instability or denial of service caused by malformed USB devices exploiting the descriptor parsing flaw. This could disrupt operations, especially in environments relying on USB peripherals for input devices, storage, or specialized hardware. While the vulnerability does not directly enable code execution or privilege escalation, the confusion in USB endpoint handling could be leveraged by attackers to cause device malfunctions or interfere with USB communications, potentially impacting data availability and operational continuity. Organizations in sectors with high reliance on Linux-based systems, such as telecommunications, manufacturing, finance, and government, may face increased risk. Additionally, embedded Linux devices used in industrial control systems or critical infrastructure could be affected, raising concerns about operational reliability and security. The absence of known exploits reduces immediate risk, but the vulnerability's nature warrants prompt attention to prevent future exploitation attempts.
Mitigation Recommendations
To mitigate CVE-2024-41035 effectively, European organizations should: 1) Prioritize updating Linux kernels to versions that include the patch clearing reserved bits in USB endpoint descriptors. This is the definitive fix and should be applied as soon as possible. 2) For environments where immediate kernel updates are not feasible, implement strict USB device usage policies, including disabling USB ports where possible or restricting USB device types to trusted hardware only. 3) Employ USB device monitoring and anomaly detection tools to identify unusual USB descriptor behavior or device enumeration issues that could indicate exploitation attempts. 4) In embedded or specialized Linux devices, coordinate with vendors to obtain patched firmware or kernel updates. 5) Conduct thorough testing of USB device interactions post-patch to ensure no regressions or compatibility issues arise. 6) Maintain robust incident response plans that include USB-related attack vectors, ensuring rapid containment if exploitation is suspected. These steps go beyond generic advice by focusing on practical controls tailored to the vulnerability's USB descriptor parsing context and the operational realities of Linux deployments in Europe.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-12T12:17:45.619Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9821c4522896dcbddf37
Added to database: 5/21/2025, 9:08:49 AM
Last enriched: 6/28/2025, 4:25:34 AM
Last updated: 8/11/2025, 3:51:26 AM
Views: 12
Related Threats
CVE-2025-36000: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in IBM WebSphere Application Server Liberty
MediumCVE-2025-55169: CWE-287: Improper Authentication in LabRedesCefetRJ WeGIA
CriticalCVE-2025-43734: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Liferay Portal
MediumCVE-2025-36124: CWE-268 Privilege Chaining in IBM WebSphere Application Server Liberty
MediumCVE-2025-55168: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in LabRedesCefetRJ WeGIA
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.