CVE-2024-36896 Overview
CVE-2024-36896 is a NULL pointer dereference vulnerability [CWE-476] in the Linux kernel's USB core subsystem. The flaw resides in port.c within the disable_store() and disable_show() routines. Testing with KASAN and syzkaller revealed that usb_hub_to_struct_hub() can return NULL when the parent hub is concurrently removed. The kernel dereferences the returned pointer without validation, triggering an access violation. The vulnerability affects Linux kernel versions through 6.9-rc6 and impacts integrity and availability.
Critical Impact
Concurrent USB hub removal can trigger a kernel NULL pointer dereference, leading to memory corruption or kernel crash on affected Linux systems.
Affected Products
- Linux Kernel versions prior to the patched stable releases
- Linux Kernel 6.9-rc1 through 6.9-rc6
- Distributions shipping vulnerable upstream kernels with USB hub support enabled
Discovery Timeline
- 2024-05-30 - CVE-2024-36896 published to NVD
- 2025-04-01 - Last updated in NVD database
Technical Details for CVE-2024-36896
Vulnerability Analysis
The vulnerability exists in the USB core port handling code at drivers/usb/core/port.c. The disable_store() and disable_show() sysfs handlers call usb_hub_to_struct_hub() to retrieve the parent hub structure for a USB port device. This helper can return NULL when the hub is being concurrently removed during teardown.
The original code dereferences the returned hub pointer without a NULL check. When a race occurs between port sysfs access and hub removal, the kernel attempts to read from address zero. This produces an access violation reportable by KASAN as a use-after-free or NULL pointer dereference.
The fix replaces the unnecessary first dereference because hub->intfdev is already accessible as the parent of the port device. Reviewers added an explicit hub == NULL check to prevent further dereferences along the same code path.
Root Cause
The root cause is a missing NULL check after calling usb_hub_to_struct_hub() in concurrent removal scenarios. The function's return value was assumed to always be valid. Race conditions during hub teardown invalidate this assumption.
Attack Vector
Triggering the flaw requires interaction with the USB port sysfs interface during hub removal. A local attacker with the ability to read or write disable sysfs attributes while triggering hub disconnect events can race the two operations. Successful exploitation crashes the kernel or corrupts memory state.
No verified public proof-of-concept code is available for CVE-2024-36896. See the upstream patches referenced below for technical details on the fix.
Detection Methods for CVE-2024-36896
Indicators of Compromise
- Kernel panic messages referencing usb_hub_to_struct_hub, disable_store, or disable_show in port.c
- KASAN reports identifying NULL pointer dereference in the USB core during hub removal
- Unexpected system crashes correlated with USB device hot-plug or removal events
Detection Strategies
- Inspect kernel version with uname -r and compare against patched stable releases listed in the kernel.org commits
- Monitor dmesg output for oops messages tied to USB port sysfs operations
- Audit running kernels across the fleet using configuration management tools to identify unpatched 6.9-rc builds
Monitoring Recommendations
- Forward kernel ring buffer and journalctl -k output to a centralized logging system for anomaly review
- Alert on repeated USB-related kernel oops events from the same host
- Track USB hub hot-plug churn on production systems where attackers may attempt to race device removal
How to Mitigate CVE-2024-36896
Immediate Actions Required
- Upgrade affected systems to a Linux kernel release containing the upstream fix
- Identify hosts running 6.9-rc1 through 6.9-rc6 and prioritize them for kernel updates
- Restrict local user access on multi-tenant systems until patches are deployed
Patch Information
The vulnerability is resolved in upstream stable kernels via the following commits: Kernel Git Commit 5f1d68e, Kernel Git Commit 6119ef6, Kernel Git Commit 6353354, and Kernel Git Commit a4b46d4. The fix adds a hub == NULL check and removes the unnecessary dereference in disable_store() and disable_show().
Workarounds
- Restrict write access to USB port sysfs attributes under /sys/bus/usb/devices/*/disable using udev rules or file permissions
- Limit physical and logical access to USB hot-plug events on exposed systems
- Disable unused USB hub controllers via kernel boot parameters where operationally feasible
# Verify current kernel version and apply distribution kernel update
uname -r
sudo apt update && sudo apt install --only-upgrade linux-image-$(uname -r | sed 's/-generic//')
sudo reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
