The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2024-36896

CVE-2024-36896: Linux Kernel Use-After-Free Vulnerability

CVE-2024-36896 is a use-after-free vulnerability in the Linux Kernel USB core that causes access violations during port device removal. This article covers technical details, affected versions, impact, and mitigation.

Published: April 1, 2026

CVE-2024-36896 Overview

CVE-2024-36896 is a Null Pointer Dereference vulnerability in the Linux kernel's USB core subsystem, specifically affecting the port device removal process. The flaw was discovered through testing with KASAN (Kernel Address Sanitizer) and syzkaller, revealing a critical bug in port.c:disable_store() where usb_hub_to_struct_hub() can return NULL if the hub that the port belongs to is concurrently removed. The function fails to check for this possibility before dereferencing the returned value, leading to potential access violations.

Critical Impact

This vulnerability can result in unauthorized data modification and complete system denial of service when exploited, as attackers can trigger null pointer dereferences in the USB subsystem during concurrent hub removal operations.

Affected Products

  • Linux Kernel (multiple versions)
  • Linux Kernel 6.9-rc1 through 6.9-rc6
  • Linux Kernel stable branches (see vendor advisories for specific version ranges)

Discovery Timeline

  • May 30, 2024 - CVE-2024-36896 published to NVD
  • April 1, 2025 - Last updated in NVD database

Technical Details for CVE-2024-36896

Vulnerability Analysis

This vulnerability represents a classic race condition scenario combined with a null pointer dereference (CWE-476). The issue resides in the USB hub driver's port management code within the Linux kernel. During normal operation, the disable_store() and disable_show() functions in port.c call usb_hub_to_struct_hub() to obtain a reference to the parent hub structure. However, these functions do not account for the scenario where the hub may be concurrently removed by another process or thread.

When a hub is removed while these functions are executing, usb_hub_to_struct_hub() returns NULL, but the code proceeds to dereference this NULL pointer when accessing hub->intfdev. This results in a kernel panic or memory corruption, depending on the system's memory layout and protections.

Root Cause

The root cause is a missing NULL check after calling usb_hub_to_struct_hub(). The function assumes the hub will always be present when accessed, but concurrent device removal creates a Time-of-Check Time-of-Use (TOCTOU) race condition. The vulnerability affects both disable_store() and disable_show() routines in the port management code. The fix involves recognizing that hub->intfdev is actually the parent of the port device, eliminating the need for the first dereference, and adding an explicit NULL check for the hub pointer before any further operations.

Attack Vector

The vulnerability is exploitable over the network (as indicated by the CVSS attack vector), though practical exploitation would typically require the ability to trigger USB device enumeration and removal events. An attacker capable of manipulating USB device states—either through physical access, USB-over-network protocols, or virtualized USB devices—could potentially exploit this race condition to cause system instability or denial of service.

The attack requires precise timing to trigger the race condition between:

  1. A legitimate access to the port's disable sysfs interface
  2. Concurrent removal of the parent USB hub device

This race window, while narrow, was reproducibly triggered by the syzkaller fuzzer, indicating it is achievable under real-world conditions.

Detection Methods for CVE-2024-36896

Indicators of Compromise

  • Kernel panic messages referencing port.c, disable_store, or disable_show functions
  • System crashes during USB hub hot-plug or removal events
  • KASAN reports indicating null pointer dereferences in USB subsystem code
  • Unexpected system reboots correlated with USB device connection/disconnection activity
  • Kernel oops messages mentioning usb_hub_to_struct_hub function

Detection Strategies

  • Enable KASAN (Kernel Address Sanitizer) in development and testing environments to catch null pointer dereferences
  • Monitor kernel logs (dmesg, /var/log/kern.log) for USB-related panics or oops messages
  • Deploy kernel live patching solutions to receive immediate notification of vulnerable kernel versions
  • Use SentinelOne Singularity platform for real-time kernel vulnerability detection and endpoint protection

Monitoring Recommendations

  • Implement centralized kernel log collection and analysis to identify patterns of USB subsystem crashes
  • Configure alerting for kernel panic events, particularly those involving USB drivers
  • Monitor for unusual USB device enumeration patterns that could indicate exploitation attempts
  • Deploy endpoint detection solutions capable of identifying kernel-level anomalies

How to Mitigate CVE-2024-36896

Immediate Actions Required

  • Update to a patched Linux kernel version that includes the security fix
  • Review systems for signs of exploitation, particularly unexplained USB-related crashes
  • Consider disabling unused USB ports at the BIOS/UEFI level on critical systems
  • Implement kernel live patching where immediate reboots are not feasible
  • Monitor vendor security advisories for your specific Linux distribution

Patch Information

The Linux kernel maintainers have released patches addressing this vulnerability across multiple stable branches. The fix involves two key changes: removing an unnecessary dereference by using the port device's parent directly instead of hub->intfdev, and adding an explicit NULL check for the hub pointer to prevent dereferencing when the hub has been concurrently removed.

Patches are available in the following commits:

  • Kernel Git Commit 5f1d68e
  • Kernel Git Commit 6119ef6
  • Kernel Git Commit 6353354
  • Kernel Git Commit a4b46d4

Workarounds

  • Restrict physical and logical access to USB subsystem management interfaces
  • On systems where kernel updates cannot be immediately applied, consider using security modules (SELinux, AppArmor) to restrict access to USB sysfs interfaces
  • Disable the USB port disable functionality through sysfs if not required for operations
  • Implement strict USB device authorization policies to limit unauthorized device enumeration
bash
# Example: Restrict access to USB port disable interface
chmod 600 /sys/bus/usb/devices/*/port*/disable

# Verify current kernel version and check if patched
uname -r
# Compare against patched versions in vendor advisories

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeUse After Free
  • Vendor/TechLinux Kernel
  • SeverityCRITICAL
  • CVSS Score9.1
  • EPSS Probability0.06%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-476
  • Vendor Resources
  • Kernel Git Commit 5f1d68e
  • Kernel Git Commit 6119ef6
  • Kernel Git Commit 6353354
  • Kernel Git Commit a4b46d4
  • Related CVEs
  • CVE-2026-23408: Linux Kernel Use-After-Free Vulnerability
  • CVE-2026-23415: Linux Kernel Use-After-Free Vulnerability
  • CVE-2026-23413: Linux Kernel Use-After-Free Vulnerability
  • CVE-2026-23412: Linux Kernel Use-After-Free Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English