CVE-2024-36896 in Linux
Summary
by MITRE • 05/30/2024
In the Linux kernel, the following vulnerability has been resolved:
USB: core: Fix access violation during port device removal
Testing with KASAN and syzkaller revealed a bug in port.c:disable_store(): usb_hub_to_struct_hub() can return NULL if the hub that the port belongs to is concurrently removed, but the function does not check for this possibility before dereferencing the returned value.
It turns out that the first dereference is unnecessary, since hub->intfdev is the parent of the port device, so it can be changed easily. Adding a check for hub == NULL prevents further problems.
The same bug exists in the disable_show() routine, and it can be fixed the same way.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 11/22/2025
The vulnerability described in CVE-2024-36896 represents a critical access violation flaw within the Linux kernel's USB subsystem, specifically affecting the USB core functionality during port device removal operations. This issue manifests as a NULL pointer dereference that occurs when the system attempts to handle concurrent removal of USB hubs while port device operations are in progress. The vulnerability was identified through rigorous testing using KASAN memory error detection tools and syzkaller automated fuzzing framework, which are standard industry practices for identifying kernel-level memory corruption vulnerabilities. The flaw exists in the port.c file within the usb core module, specifically in the disable_store() function where the usb_hub_to_struct_hub() function can return NULL when a hub is concurrently being removed from the system. This race condition creates a dangerous scenario where the kernel attempts to dereference a NULL pointer, potentially leading to system crashes or exploitation by malicious actors.
The technical implementation of this vulnerability stems from improper error handling in the USB hub management code where the system fails to validate the return value from usb_hub_to_struct_hub() before proceeding with subsequent operations. The function usb_hub_to_struct_hub() is designed to convert hub identifiers into hub structure pointers, but when concurrent removal operations occur, it may legitimately return NULL to indicate that the hub structure is no longer available. However, the original code does not account for this possibility and proceeds to dereference the returned NULL pointer, causing immediate system instability. The vulnerability is further compounded by the fact that the same flaw exists in the disable_show() routine, indicating a systemic code pattern issue rather than a isolated incident. The root cause aligns with CWE-476 which defines NULL Pointer Dereference as a common vulnerability where programs fail to check for NULL values before dereferencing pointers. This particular implementation flaw demonstrates how concurrent access patterns in kernel space can create race conditions that are particularly dangerous due to the privileged execution context of kernel code.
The operational impact of this vulnerability extends beyond simple system crashes to potentially enable privilege escalation or denial of service attacks within kernel space. When a USB hub is concurrently removed while port operations are active, the system's USB subsystem can experience immediate termination or unpredictable behavior, leading to complete system instability. This vulnerability affects systems running Linux kernels that incorporate the affected USB core code, potentially impacting desktop computers, servers, and embedded devices that rely on USB connectivity. The nature of the flaw makes it particularly dangerous because USB hubs are fundamental components in computing systems, and their removal or manipulation can occur during normal system operations, making exploitation relatively straightforward. From an attacker perspective, this vulnerability could be leveraged to cause system crashes or potentially gain elevated privileges if combined with other kernel vulnerabilities, making it a significant concern for system administrators and security professionals managing Linux-based systems.
Mitigation strategies for CVE-2024-36896 should prioritize applying the official kernel patches that implement proper NULL pointer checks in both the disable_store() and disable_show() functions. The fix involves adding a simple but crucial validation check to ensure that hub pointer is not NULL before attempting to dereference it, specifically checking for hub == NULL immediately after calling usb_hub_to_struct_hub(). This approach directly addresses the race condition by preventing the kernel from attempting operations on invalid hub structures during concurrent removal scenarios. System administrators should prioritize updating their kernel versions to include the patched code, particularly in production environments where USB connectivity is critical. Additionally, implementing monitoring for USB-related system calls and concurrent hub removal operations can help detect potential exploitation attempts. The fix also aligns with ATT&CK technique T1068 which covers privilege escalation through kernel vulnerabilities, making proper patching essential for maintaining system security posture. Organizations should also consider implementing USB device access controls and monitoring to reduce the attack surface, as this vulnerability demonstrates how fundamental system components can be exploited when proper concurrency handling is not implemented. The vulnerability serves as a reminder of the importance of proper error handling in kernel space and the critical need for thorough testing of concurrent access patterns in system-level code.