CVE-2024-26933 Overview
CVE-2024-26933 is a deadlock vulnerability in the Linux kernel's USB core subsystem. The vulnerability exists in the disable sysfs attribute handling code within port.c, where the show and store callback routines acquire the device lock for the port's parent hub device. This can lead to a deadlock condition when another process has locked the hub to remove it or change its configuration.
Critical Impact
A local attacker with low privileges can trigger a deadlock condition that results in system hang or denial of service, with potential for high confidentiality, integrity, and availability impact on affected Linux systems.
Affected Products
- Linux Kernel (multiple versions)
- Linux Kernel 6.9-rc1
- Systems utilizing USB hub functionality with sysfs attribute access
Discovery Timeline
- 2024-05-01 - CVE-2024-26933 published to NVD
- 2025-03-07 - Last updated in NVD database
Technical Details for CVE-2024-26933
Vulnerability Analysis
This vulnerability is classified as a deadlock condition (CWE-667: Improper Locking) within the Linux kernel's USB subsystem. The flaw occurs when interacting with the disable sysfs attribute file for USB port devices. When this attribute is accessed (either read or write operations), the callback routines disable_show() and disable_store() attempt to acquire the device lock for the port's parent hub.
The deadlock scenario emerges when a concurrent process holds the hub lock to perform hub removal or configuration changes. Hub removal requires the hub interface to be removed, which in turn requires the port device to be removed. The device_del() function waits until all outstanding sysfs attribute callbacks return before completing, but the callbacks cannot return until they acquire the lock that is held by the removal process.
Root Cause
The root cause lies in improper lock ordering between the sysfs attribute callback execution and the device removal path. The disable_show() and disable_store() functions directly attempt to acquire the hub device lock without consideration for the possibility that a concurrent removal operation may already hold this lock and be waiting for the sysfs callback to complete.
The fix involves calling sysfs_break_active_protection() to prevent the sysfs core from waiting for the attribute's callback routine to return, which allows the removal process to proceed. Additionally, to prevent use-after-free conditions after breaking active protection, the fix acquires a reference to the hub structure using hub_get() before proceeding.
Attack Vector
The vulnerability requires local access to the system with low-privilege user permissions. An attacker can exploit this by:
- Gaining access to the sysfs interface for USB port devices (typically at /sys/bus/usb/devices/*/)
- Triggering concurrent operations on the disable attribute while USB hub removal or reconfiguration is in progress
- Creating a race condition that leads to the deadlock scenario
The exploitation does not require user interaction and can be triggered programmatically. The attack surface is limited to systems where an unprivileged user has access to USB sysfs attributes.
Detection Methods for CVE-2024-26933
Indicators of Compromise
- System hangs or unresponsive states during USB hub hot-plug events
- Processes stuck in uninterruptible sleep (D state) with stack traces showing disable_show or disable_store functions
- Kernel soft lockup warnings referencing USB core or hub driver code paths
Detection Strategies
- Monitor system logs for soft lockup warnings containing USB subsystem references
- Implement kernel tracing on USB hub device lock acquisition patterns
- Deploy SentinelOne Singularity for real-time kernel behavior monitoring and anomaly detection
Monitoring Recommendations
- Enable kernel watchdog to detect and report soft lockup conditions
- Configure syslog alerts for USB subsystem errors and kernel warnings
- Utilize SentinelOne's EDR capabilities to monitor for unusual sysfs access patterns on USB device nodes
How to Mitigate CVE-2024-26933
Immediate Actions Required
- Update to a patched Linux kernel version immediately
- Restrict access to USB sysfs attributes using appropriate file system permissions
- Monitor systems for signs of exploitation during the patching window
Patch Information
The Linux kernel maintainers have released patches across multiple stable branches. Apply the appropriate patch for your kernel version:
| Patch Reference | Commit URL |
|---|---|
| Commit 4facc94 | Kernel Commit 4facc94 |
| Commit 73d1589 | Kernel Commit 73d1589 |
| Commit 9dac54f | Kernel Commit 9dac54f |
| Commit f4d1960 | Kernel Commit f4d1960 |
| Commit f518498 | Kernel Commit f518498 |
Workarounds
- Restrict sysfs access to USB port disable attributes using file system permissions
- Disable unprivileged access to USB sysfs by adjusting udev rules
- In containerized environments, ensure USB sysfs is not mounted or accessible to untrusted workloads
# Restrict access to USB port sysfs disable attributes
# Apply restrictive permissions to USB port sysfs entries
chmod 600 /sys/bus/usb/devices/*/*/disable 2>/dev/null
# Add udev rule to restrict disable attribute access
echo 'SUBSYSTEM=="usb", ATTR{disable}=="*", MODE="0600"' > /etc/udev/rules.d/99-usb-disable-restrict.rules
udevadm control --reload-rules
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
