CVE-2024-26715 in Linux
Summary
by MITRE • 04/03/2024
In the Linux kernel, the following vulnerability has been resolved:
usb: dwc3: gadget: Fix NULL pointer dereference in dwc3_gadget_suspend
In current scenario if Plug-out and Plug-In performed continuously there could be a chance while checking for dwc->gadget_driver in dwc3_gadget_suspend, a NULL pointer dereference may occur.
Call Stack:
CPU1: CPU2: gadget_unbind_driver dwc3_suspend_common dwc3_gadget_stop dwc3_gadget_suspend dwc3_disconnect_gadget
CPU1 basically clears the variable and CPU2 checks the variable. Consider CPU1 is running and right before gadget_driver is cleared and in parallel CPU2 executes dwc3_gadget_suspend where it finds dwc->gadget_driver which is not NULL and resumes execution and then CPU1 completes execution. CPU2 executes dwc3_disconnect_gadget where it checks dwc->gadget_driver is already NULL because of which the NULL pointer deference occur.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 08/03/2025
The vulnerability CVE-2024-26715 represents a critical race condition in the Linux kernel's USB Device Controller Driver for DesignWare USB3 (dwc3) gadget implementation. This flaw specifically affects the dwc3_gadget_suspend function where a NULL pointer dereference can occur under specific concurrent execution conditions. The issue stems from improper synchronization between the driver unbinding process and the suspend handling operations within the USB gadget framework, creating a temporal window where memory access violations become possible.
The technical root cause of this vulnerability lies in the lack of proper locking mechanisms when accessing the dwc->gadget_driver pointer during concurrent operations. When a USB device undergoes rapid plug-out and plug-in cycles, the system experiences a race condition between two distinct execution paths. The first path involves CPU1 executing gadget_unbind_driver which clears the gadget_driver variable, while CPU2 simultaneously executes dwc3_gadget_suspend which checks the dwc->gadget_driver pointer. This creates a scenario where CPU2 may read a non-NULL value from dwc->gadget_driver before CPU1 has completed clearing it, but then CPU2 proceeds to execute dwc3_disconnect_gadget which finds the pointer already NULL, resulting in the NULL pointer dereference.
This vulnerability directly maps to CWE-367, which identifies Time-of-Check to Time-of-Use (TOCTOU) race conditions, and also relates to CWE-476, which covers NULL Pointer Dereference. The operational impact of this vulnerability extends beyond simple system crashes, as it can lead to denial of service conditions where the entire USB subsystem becomes unstable. Attackers could potentially exploit this race condition to cause system instability or even achieve privilege escalation depending on the execution context. The vulnerability affects systems running Linux kernel versions that include the dwc3 gadget driver implementation, particularly those handling high-frequency USB device interactions.
The call stack execution pattern reveals a classic concurrent programming flaw where the absence of proper synchronization primitives allows for inconsistent state access. The specific sequence shows CPU1 clearing the gadget_driver reference while CPU2 is in the middle of checking and processing that same reference, creating a temporal inconsistency that leads to the dereference of a NULL pointer. This type of vulnerability is particularly dangerous in embedded systems and server environments where USB connectivity is critical for device management and system operations. The fix for this vulnerability requires implementing proper locking mechanisms around the dwc->gadget_driver pointer access to ensure atomicity during the critical sections of code execution.
Mitigation strategies for CVE-2024-26715 should focus on implementing proper synchronization mechanisms such as mutex locks or spinlocks around the affected code sections to prevent concurrent access to the gadget_driver pointer. System administrators should prioritize updating to kernel versions that include the patched dwc3 gadget driver implementation, as the vulnerability exists in the core USB subsystem and affects all systems utilizing DesignWare USB3 controllers. Organizations should also implement monitoring for unusual USB device disconnection patterns that might indicate exploitation attempts. The vulnerability demonstrates the importance of proper concurrent programming practices in kernel space, particularly when dealing with shared resources that undergo rapid state transitions. Additionally, this issue highlights the need for comprehensive testing of race conditions in USB and device driver subsystems, especially those handling high-frequency device interactions and state changes.