CVE-2024-26919 in Linuxinfo

Summary

by MITRE • 04/17/2024

In the Linux kernel, the following vulnerability has been resolved:

usb: ulpi: Fix debugfs directory leak

The ULPI per-device debugfs root is named after the ulpi device's parent, but ulpi_unregister_interface tries to remove a debugfs directory named after the ulpi device itself. This results in the directory sticking around and preventing subsequent (deferred) probes from succeeding. Change the directory name to match the ulpi device.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 09/16/2025

The vulnerability identified as CVE-2024-26919 represents a critical resource management issue within the Linux kernel's USB subsystem, specifically affecting the Universal Serial Bus Low Pin Interface (ULPI) driver implementation. This flaw manifests as a debugfs directory leak that occurs during the unregistering process of ULPI interfaces, creating persistent filesystem artifacts that interfere with normal system operations. The issue directly impacts the kernel's ability to properly manage USB device probe sequences and can lead to system instability or complete failure of USB device enumeration processes.

The technical root cause of this vulnerability stems from a naming inconsistency in the debugfs directory management logic within the ULPI driver code. When a ULPI device is registered, the driver creates a debugfs directory using the parent device's name as the identifier. However, during the unregistration process, the ulpi_unregister_interface function attempts to remove a directory using the ULPI device's own name instead of the parent device's name that was actually created. This fundamental mismatch in directory naming conventions results in the debugfs directory remaining in the filesystem, creating a persistent resource leak that cannot be cleaned up through normal kernel operations.

The operational impact of this vulnerability extends beyond simple resource waste to potentially catastrophic system behavior during USB device management. When the debugfs directory remains uncleared, subsequent deferred probe operations for USB devices fail because the kernel cannot properly establish or access the required debugfs structure. This creates a cascading failure mode where USB device enumeration becomes unreliable, leading to potential device disconnections, system hangs, or complete USB subsystem failures. The vulnerability is particularly concerning in embedded systems or devices that rely heavily on USB connectivity, where such failures could result in complete system lockdown.

This vulnerability maps directly to CWE-404, which describes improper resource management or resource leaks in software systems. The issue also aligns with ATT&CK technique T1547.001, which involves establishing persistence through kernel modules or drivers, as the leaked debugfs directory creates a persistent artifact that can interfere with system operations. The fix implemented addresses this by standardizing the directory naming convention to match the actual ULPI device identifier rather than the parent device reference, ensuring proper cleanup during the unregister process.

Mitigation strategies for CVE-2024-26919 focus primarily on applying the kernel patch that corrects the debugfs directory naming inconsistency. System administrators should prioritize updating their Linux kernel versions to include the fix, particularly in production environments where USB reliability is critical. Monitoring for USB device enumeration failures or system hangs following USB device connections can help identify if the vulnerability has been triggered. Additionally, administrators should implement regular system health checks that verify the proper cleanup of debugfs directories related to USB subsystem operations, ensuring that no stale artifacts remain in the filesystem that could interfere with normal kernel operations.

Reservation

02/19/2024

Disclosure

04/17/2024

Moderation

accepted

CPE

ready

EPSS

0.00222

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!