CVE-2024-26717 in Linux
Summary
by MITRE • 04/03/2024
In the Linux kernel, the following vulnerability has been resolved:
HID: i2c-hid-of: fix NULL-deref on failed power up
A while back the I2C HID implementation was split in an ACPI and OF part, but the new OF driver never initialises the client pointer which is dereferenced on power-up failures.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 08/03/2025
The vulnerability CVE-2024-26717 represents a critical null pointer dereference flaw within the Linux kernel's HID (Human Interface Device) subsystem, specifically affecting the i2c-hid-of driver component. This issue arises from an incomplete implementation during the refactoring process where the I2C HID functionality was separated into ACPI and OF (Open Firmware) variants. The original implementation properly handled device client initialization, but the newly introduced OF driver failed to initialize the client pointer variable, creating a dangerous condition that can lead to system crashes or potential exploitation.
The technical flaw manifests in the power-up failure handling mechanism of the i2c-hid-of driver where the client pointer remains uninitialized when device initialization encounters errors. According to CWE-476, this constitutes a null pointer dereference vulnerability that occurs when a pointer expected to contain a valid memory address instead contains NULL, leading to a kernel panic or system instability. When the device power-up process fails, the driver attempts to dereference this uninitialized client pointer, causing the kernel to crash and potentially allowing unauthorized users to exploit this condition for denial-of-service attacks or privilege escalation.
This vulnerability directly impacts the operational stability of Linux systems that utilize I2C HID devices, particularly those employing device tree configurations for hardware enumeration. The operational impact extends beyond simple system crashes as it affects the reliability of input device handling in embedded systems, desktop environments, and server platforms where I2c-hid devices are commonly deployed. The flaw is particularly concerning in automotive systems, industrial control environments, and IoT devices where system stability is paramount, as it could lead to complete system failure during device initialization phases. According to ATT&CK framework tactic TA0040 (Execution), this vulnerability could potentially be leveraged by adversaries to achieve system compromise through controlled kernel crashes or by exploiting the underlying memory corruption conditions.
The mitigation strategy involves applying the kernel patch that ensures proper initialization of the client pointer within the i2c-hid-of driver before any power-up failure handling occurs. System administrators should prioritize updating to kernel versions containing the fix, typically found in kernel releases 6.8 and later, as the vulnerability affects the core HID subsystem that handles keyboard, mouse, and other input device communications. Additionally, implementing proper kernel hardening measures including stack canaries, kernel address space layout randomization, and strict pointer validation can provide additional defense-in-depth measures. Organizations should also conduct thorough testing of updated kernel versions in their environments to ensure compatibility with existing hardware configurations and device tree specifications.