CVE-2024-26996 in Linuxinfo

Summary

by MITRE • 05/01/2024

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error

When ncm function is working and then stop usb0 interface for link down, eth_stop() is called. At this piont, accidentally if usb transport error should happen in usb_ep_enable(), 'in_ep' and/or 'out_ep' may not be enabled.

After that, ncm_disable() is called to disable for ncm unbind but gether_disconnect() is never called since 'in_ep' is not enabled.

As the result, ncm object is released in ncm unbind but 'dev->port_usb' associated to 'ncm->port' is not NULL.

And when ncm bind again to recover netdev, ncm object is reallocated but usb0 interface is already associated to previous released ncm object.

Therefore, once usb0 interface is up and eth_start_xmit() is called, released ncm object is dereferrenced and it might cause use-after-free memory.

[function unlink via configfs]
usb0: eth_stop dev->port_usb=ffffff9b179c3200 --> error happens in usb_ep_enable(). NCM: ncm_disable: ncm=ffffff9b179c3200 --> no gether_disconnect() since ncm->port.in_ep->enabled is false. NCM: ncm_unbind: ncm unbind ncm=ffffff9b179c3200 NCM: ncm_free: ncm free ncm=ffffff9b179c3200 <-- released ncm

[function link via configfs]
NCM: ncm_alloc: ncm alloc ncm=ffffff9ac4f8a000 NCM: ncm_bind: ncm bind ncm=ffffff9ac4f8a000 NCM: ncm_set_alt: ncm=ffffff9ac4f8a000 alt=0 usb0: eth_open dev->port_usb=ffffff9b179c3200 <-- previous released ncm usb0: eth_start dev->port_usb=ffffff9b179c3200 <-- eth_start_xmit() --> dev->wrap() Unable to handle kernel paging request at virtual address dead00000000014f

This patch addresses the issue by checking if 'ncm->netdev' is not NULL at ncm_disable() to call gether_disconnect() to deassociate 'dev->port_usb'. It's more reasonable to check 'ncm->netdev' to call gether_connect/disconnect rather than check 'ncm->port.in_ep->enabled' since it might not be enabled but the gether connection might be established.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 02/06/2026

The vulnerability described in CVE-2024-26996 represents a use-after-free condition within the Linux kernel's USB gadget framework, specifically affecting the NCM (Network Control Model) function driver. This flaw occurs during the dynamic re-binding of USB network interfaces, particularly when handling transport errors that interrupt the USB endpoint enablement process. The issue manifests when the USB gadget framework attempts to manage network interface state transitions while USB transport errors occur, leading to improper cleanup of NCM object references. The vulnerability stems from the kernel's USB gadget subsystem where the NCM function driver fails to properly disconnect underlying USB transport layers when endpoint enabling operations fail, creating a scenario where freed memory structures remain referenced by network device objects.

The technical root cause involves a race condition and improper state management within the USB gadget framework's NCM implementation. When the USB transport encounters an error during endpoint enabling, the 'in_ep' or 'out_ep' endpoints may fail to enable properly, yet the NCM disable logic does not account for this scenario. The system calls ncm_disable() to clean up the NCM object but omits the critical gether_disconnect() call because the framework incorrectly assumes that endpoint state indicates connection status. This oversight results in the NCM object being freed while still maintaining references in the device's port_usb field. When the system later rebinds the NCM function, it allocates a new NCM object but the network device continues to reference the previously freed memory location, creating a use-after-free condition during subsequent network packet transmission operations.

This vulnerability has significant operational impact within embedded Linux systems that utilize USB gadget functionality for network communication, particularly those implementing USB CDC NCM networking. The flaw can be triggered through normal USB interface management operations such as link down events followed by reconnection attempts, making it exploitable in environments where USB network interfaces are dynamically managed. The use-after-free condition can potentially lead to system crashes, memory corruption, or in worst-case scenarios, privilege escalation if exploited by malicious actors. The vulnerability affects systems using the Linux kernel's USB gadget framework with NCM function drivers, which are commonly found in embedded devices, network appliances, and USB-to-ethernet adapters that support CDC NCM networking standards.

The mitigation strategy implemented in the patch addresses the fundamental flaw by modifying the ncm_disable() function to check for the existence of ncm->netdev rather than relying on endpoint enablement status for determining whether to call gether_disconnect(). This approach aligns with proper defensive programming practices and follows the principle of validating object state before operations. The fix ensures that proper cleanup occurs regardless of endpoint enablement failures, maintaining consistency in the USB gadget framework's object lifecycle management. From a cybersecurity perspective, this vulnerability aligns with CWE-416 (Use After Free) and represents a classic example of improper resource management in kernel space. The solution follows ATT&CK framework techniques related to privilege escalation and system compromise through kernel vulnerabilities, emphasizing the importance of proper resource deallocation and state validation in kernel drivers. This patch demonstrates the critical need for robust error handling in USB gadget frameworks where multiple layers of abstraction must maintain consistent state management during error conditions.

Reservation

02/19/2024

Disclosure

05/01/2024

Moderation

accepted

CPE

ready

EPSS

0.00233

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!