CVE-2024-44960 is a vulnerability identified in the Linux kernel's USB gadget core subsystem. The issue arises from insufficient validation when accessing the maxpacket field of USB endpoint descriptors. Specifically, the kernel code did not verify whether the descriptor pointer was properly set before dereferencing it. This flaw can lead to a null pointer dereference and cause a kernel panic, resulting in a denial of service (DoS) condition. The vulnerability manifests if a USB gadget driver fails to correctly set up the endpoint descriptor for the current USB speed or if the gadget descriptors are malformed such that the descriptor for the speed/endpoint combination is missing. Although no existing gadget drivers are currently known to trigger this bug, the vulnerability poses a risk during the development of new USB gadget drivers or when malformed descriptors are encountered. The fix involves adding a check to ensure the descriptor is set before accessing maxpacket, preventing the null pointer dereference. The affected Linux kernel versions include multiple recent commits prior to the patch, indicating that this vulnerability is present in actively maintained kernel branches. No known exploits are reported in the wild, and no CVSS score has been assigned yet.

For European organizations, the primary impact of CVE-2024-44960 is the potential for denial of service on Linux systems that utilize USB gadget functionality. This is particularly relevant for embedded devices, IoT gateways, and specialized hardware that implement USB gadget drivers to emulate USB devices. A successful exploitation could cause the kernel to panic and reboot, disrupting critical services or operations relying on these devices. While the vulnerability does not directly lead to privilege escalation or data compromise, the resulting system instability could affect availability and operational continuity. Organizations developing or deploying custom USB gadget drivers are at higher risk, as malformed descriptors or incomplete endpoint setups during development could trigger this issue. Given the widespread use of Linux in European infrastructure, including telecommunications, industrial control systems, and public sector IT, any disruption caused by kernel panics could have cascading effects. However, since no known exploits exist and the vulnerability requires specific conditions, the immediate risk is moderate but warrants attention to prevent future exploitation as new gadget drivers are developed or deployed.

European organizations should promptly apply the Linux kernel patches that address CVE-2024-44960 once available from their distribution vendors or upstream Linux kernel sources. For environments developing or deploying custom USB gadget drivers, rigorous testing should be conducted to ensure all endpoint descriptors are correctly initialized for all supported USB speeds, avoiding malformed or missing descriptors. Implementing static and dynamic code analysis tools focused on USB gadget code can help detect descriptor setup issues early in the development lifecycle. Additionally, organizations should monitor kernel logs for signs of null pointer panics related to USB gadget operations and isolate affected devices for troubleshooting. Where feasible, limiting or disabling USB gadget functionality on systems that do not require it can reduce the attack surface. Maintaining a robust patch management process and subscribing to Linux kernel security advisories will ensure timely awareness and remediation of this and similar vulnerabilities.