CVE-2024-45006: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration re-enumerating full-speed devices after a failed address device command can trigger a NULL pointer dereference. Full-speed devices may need to reconfigure the endpoint 0 Max Packet Size value during enumeration. Usb core calls usb_ep0_reinit() in this case, which ends up calling xhci_configure_endpoint(). On Panther point xHC the xhci_configure_endpoint() function will additionally check and reserve bandwidth in software. Other hosts do this in hardware If xHC address device command fails then a new xhci_virt_device structure is allocated as part of re-enabling the slot, but the bandwidth table pointers are not set up properly here. This triggers the NULL pointer dereference the next time usb_ep0_reinit() is called and xhci_configure_endpoint() tries to check and reserve bandwidth [46710.713538] usb 3-1: new full-speed USB device number 5 using xhci_hcd [46710.713699] usb 3-1: Device not responding to setup address. [46710.917684] usb 3-1: Device not responding to setup address. [46711.125536] usb 3-1: device not accepting address 5, error -71 [46711.125594] BUG: kernel NULL pointer dereference, address: 0000000000000008 [46711.125600] #PF: supervisor read access in kernel mode [46711.125603] #PF: error_code(0x0000) - not-present page [46711.125606] PGD 0 P4D 0 [46711.125610] Oops: Oops: 0000 [#1] PREEMPT SMP PTI [46711.125615] CPU: 1 PID: 25760 Comm: kworker/1:2 Not tainted 6.10.3_2 #1 [46711.125620] Hardware name: Gigabyte Technology Co., Ltd. [46711.125623] Workqueue: usb_hub_wq hub_event [usbcore] [46711.125668] RIP: 0010:xhci_reserve_bandwidth (drivers/usb/host/xhci.c Fix this by making sure bandwidth table pointers are set up correctly after a failed address device command, and additionally by avoiding checking for bandwidth in cases like this where no actual endpoints are added or removed, i.e. only context for default control endpoint 0 is evaluated.
AI Analysis
Technical Summary
CVE-2024-45006 is a vulnerability identified in the Linux kernel's USB xHCI (Extensible Host Controller Interface) driver, specifically affecting the handling of full-speed USB devices during re-enumeration after a failed address device command. The vulnerability arises from improper handling of bandwidth table pointers within the xhci_configure_endpoint() function when the xHC (xHCI host controller) address device command fails. In this scenario, a new xhci_virt_device structure is allocated to re-enable the USB slot, but the bandwidth table pointers are not correctly initialized. Subsequently, when usb_ep0_reinit() is called to reconfigure endpoint 0 (the default control endpoint) and xhci_configure_endpoint() attempts to check and reserve bandwidth, it dereferences a NULL pointer, leading to a kernel NULL pointer dereference and a kernel oops (crash). This bug is specific to Panther Point xHC implementations, where bandwidth reservation is handled in software rather than hardware as in other hosts. The vulnerability can be triggered by connecting or re-enumerating full-speed USB devices that require endpoint 0 Max Packet Size reconfiguration, especially if the device does not respond properly to the setup address command. The kernel crash results in a denial of service (DoS) condition, potentially destabilizing systems relying on the affected Linux kernel versions. The patch involves ensuring bandwidth table pointers are properly set after a failed address device command and avoiding bandwidth checks when only the default control endpoint context is evaluated without actual endpoint changes. This vulnerability affects multiple Linux kernel versions identified by the commit hash 651aaf36a7d7b36a58980e70133f9437d4f6d312 and was published on September 4, 2024. No known exploits are reported in the wild at this time, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily in environments where Linux systems are used with USB devices, including servers, workstations, and embedded systems. The vulnerability can be exploited unintentionally by connecting or re-enumerating certain full-speed USB devices that fail the address device command, causing kernel crashes and system instability. This can lead to denial of service conditions, disrupting critical operations, especially in sectors relying on Linux-based infrastructure such as telecommunications, finance, manufacturing, and public services. The impact is heightened in environments with high USB device turnover or automated USB device management. While the vulnerability does not appear to allow privilege escalation or remote code execution, the resulting kernel crash can cause downtime, data loss, or interruption of services. Systems handling sensitive or real-time data may be particularly affected. The lack of known exploits reduces immediate risk, but the vulnerability's presence in widely deployed Linux kernels means organizations must act promptly to prevent potential exploitation or accidental triggering.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to the patched versions that address CVE-2024-45006 as soon as they become available from their Linux distribution vendors. Until patches are applied, organizations should implement the following mitigations: 1) Restrict or monitor the use of full-speed USB devices, especially those that are untrusted or frequently connected/disconnected, to reduce the chance of triggering the vulnerability. 2) Employ USB device whitelisting or endpoint security solutions to control USB device enumeration and prevent unauthorized devices from connecting. 3) For critical systems, consider disabling USB ports where feasible or using hardware-based USB port control to limit exposure. 4) Monitor system logs for kernel oops or USB-related errors indicative of attempted exploitation or accidental triggering. 5) Engage with Linux distribution security advisories and subscribe to vendor notifications to ensure timely patch deployment. 6) In virtualized or containerized environments, isolate USB device passthrough carefully to limit impact scope. These steps go beyond generic advice by focusing on controlling USB device interactions and monitoring specific kernel behaviors related to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Belgium, Finland
CVE-2024-45006: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration re-enumerating full-speed devices after a failed address device command can trigger a NULL pointer dereference. Full-speed devices may need to reconfigure the endpoint 0 Max Packet Size value during enumeration. Usb core calls usb_ep0_reinit() in this case, which ends up calling xhci_configure_endpoint(). On Panther point xHC the xhci_configure_endpoint() function will additionally check and reserve bandwidth in software. Other hosts do this in hardware If xHC address device command fails then a new xhci_virt_device structure is allocated as part of re-enabling the slot, but the bandwidth table pointers are not set up properly here. This triggers the NULL pointer dereference the next time usb_ep0_reinit() is called and xhci_configure_endpoint() tries to check and reserve bandwidth [46710.713538] usb 3-1: new full-speed USB device number 5 using xhci_hcd [46710.713699] usb 3-1: Device not responding to setup address. [46710.917684] usb 3-1: Device not responding to setup address. [46711.125536] usb 3-1: device not accepting address 5, error -71 [46711.125594] BUG: kernel NULL pointer dereference, address: 0000000000000008 [46711.125600] #PF: supervisor read access in kernel mode [46711.125603] #PF: error_code(0x0000) - not-present page [46711.125606] PGD 0 P4D 0 [46711.125610] Oops: Oops: 0000 [#1] PREEMPT SMP PTI [46711.125615] CPU: 1 PID: 25760 Comm: kworker/1:2 Not tainted 6.10.3_2 #1 [46711.125620] Hardware name: Gigabyte Technology Co., Ltd. [46711.125623] Workqueue: usb_hub_wq hub_event [usbcore] [46711.125668] RIP: 0010:xhci_reserve_bandwidth (drivers/usb/host/xhci.c Fix this by making sure bandwidth table pointers are set up correctly after a failed address device command, and additionally by avoiding checking for bandwidth in cases like this where no actual endpoints are added or removed, i.e. only context for default control endpoint 0 is evaluated.
AI-Powered Analysis
Technical Analysis
CVE-2024-45006 is a vulnerability identified in the Linux kernel's USB xHCI (Extensible Host Controller Interface) driver, specifically affecting the handling of full-speed USB devices during re-enumeration after a failed address device command. The vulnerability arises from improper handling of bandwidth table pointers within the xhci_configure_endpoint() function when the xHC (xHCI host controller) address device command fails. In this scenario, a new xhci_virt_device structure is allocated to re-enable the USB slot, but the bandwidth table pointers are not correctly initialized. Subsequently, when usb_ep0_reinit() is called to reconfigure endpoint 0 (the default control endpoint) and xhci_configure_endpoint() attempts to check and reserve bandwidth, it dereferences a NULL pointer, leading to a kernel NULL pointer dereference and a kernel oops (crash). This bug is specific to Panther Point xHC implementations, where bandwidth reservation is handled in software rather than hardware as in other hosts. The vulnerability can be triggered by connecting or re-enumerating full-speed USB devices that require endpoint 0 Max Packet Size reconfiguration, especially if the device does not respond properly to the setup address command. The kernel crash results in a denial of service (DoS) condition, potentially destabilizing systems relying on the affected Linux kernel versions. The patch involves ensuring bandwidth table pointers are properly set after a failed address device command and avoiding bandwidth checks when only the default control endpoint context is evaluated without actual endpoint changes. This vulnerability affects multiple Linux kernel versions identified by the commit hash 651aaf36a7d7b36a58980e70133f9437d4f6d312 and was published on September 4, 2024. No known exploits are reported in the wild at this time, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily in environments where Linux systems are used with USB devices, including servers, workstations, and embedded systems. The vulnerability can be exploited unintentionally by connecting or re-enumerating certain full-speed USB devices that fail the address device command, causing kernel crashes and system instability. This can lead to denial of service conditions, disrupting critical operations, especially in sectors relying on Linux-based infrastructure such as telecommunications, finance, manufacturing, and public services. The impact is heightened in environments with high USB device turnover or automated USB device management. While the vulnerability does not appear to allow privilege escalation or remote code execution, the resulting kernel crash can cause downtime, data loss, or interruption of services. Systems handling sensitive or real-time data may be particularly affected. The lack of known exploits reduces immediate risk, but the vulnerability's presence in widely deployed Linux kernels means organizations must act promptly to prevent potential exploitation or accidental triggering.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernel to the patched versions that address CVE-2024-45006 as soon as they become available from their Linux distribution vendors. Until patches are applied, organizations should implement the following mitigations: 1) Restrict or monitor the use of full-speed USB devices, especially those that are untrusted or frequently connected/disconnected, to reduce the chance of triggering the vulnerability. 2) Employ USB device whitelisting or endpoint security solutions to control USB device enumeration and prevent unauthorized devices from connecting. 3) For critical systems, consider disabling USB ports where feasible or using hardware-based USB port control to limit exposure. 4) Monitor system logs for kernel oops or USB-related errors indicative of attempted exploitation or accidental triggering. 5) Engage with Linux distribution security advisories and subscribe to vendor notifications to ensure timely patch deployment. 6) In virtualized or containerized environments, isolate USB device passthrough carefully to limit impact scope. These steps go beyond generic advice by focusing on controlling USB device interactions and monitoring specific kernel behaviors related to this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-08-21T05:34:56.679Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9826c4522896dcbe0e8c
Added to database: 5/21/2025, 9:08:54 AM
Last enriched: 6/28/2025, 11:41:22 PM
Last updated: 8/10/2025, 5:13:23 PM
Views: 14
Related Threats
CVE-2025-50610: n/a
HighCVE-2025-50609: n/a
HighCVE-2025-50608: n/a
HighCVE-2025-55194: CWE-248: Uncaught Exception in Part-DB Part-DB-server
MediumCVE-2025-55197: CWE-400: Uncontrolled Resource Consumption in py-pdf pypdf
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.