5.5

CVE-2024-41035

EPSS 0.01%
Veröffentlicht 29.07.2024 15:15:12
Zuletzt bearbeitet 03.11.2025 22:17:25
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

In the Linux kernel, the following vulnerability has been resolved:

USB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor

Syzbot has identified a bug in usbcore (see the Closes: tag below)
caused by our assumption that the reserved bits in an endpoint
descriptor's bEndpointAddress field will always be 0.  As a result of
the bug, the endpoint_is_duplicate() routine in config.c (and possibly
other routines as well) may believe that two descriptors are for
distinct endpoints, even though they have the same direction and
endpoint number.  This can lead to confusion, including the bug
identified by syzbot (two descriptors with matching endpoint numbers
and directions, where one was interrupt and the other was bulk).

To fix the bug, we will clear the reserved bits in bEndpointAddress
when we parse the descriptor.  (Note that both the USB-2.0 and USB-3.1
specs say these bits are "Reserved, reset to zero".)  This requires us
to make a copy of the descriptor earlier in usb_parse_endpoint() and
use the copy instead of the original when checking for duplicates.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 0 Referenzen 12

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version >= 3.2.87 < 3.3

Linux ≫ Linux Kernel Version >= 3.10.106 < 3.11

Linux ≫ Linux Kernel Version >= 3.12.70 < 3.13

Linux ≫ Linux Kernel Version >= 3.16.42 < 3.17

Linux ≫ Linux Kernel Version >= 4.1.39 < 4.2

Linux ≫ Linux Kernel Version >= 4.4.42 < 4.5

Linux ≫ Linux Kernel Version >= 4.9.3 < 4.10

Linux ≫ Linux Kernel Version >= 4.10.1 < 4.19.318

Linux ≫ Linux Kernel Version >= 4.20 < 5.4.280

Linux ≫ Linux Kernel Version >= 5.5 < 5.10.222

Linux ≫ Linux Kernel Version >= 5.11 < 5.15.163

Linux ≫ Linux Kernel Version >= 5.16 < 6.1.100

Linux ≫ Linux Kernel Version >= 6.2 < 6.6.41

Linux ≫ Linux Kernel Version >= 6.7 < 6.9.10

Linux ≫ Linux Kernel Version4.10 Update-

Linux ≫ Linux Kernel Version4.10 Updaterc3

Linux ≫ Linux Kernel Version4.10 Updaterc4

Linux ≫ Linux Kernel Version4.10 Updaterc5

Linux ≫ Linux Kernel Version4.10 Updaterc6

Linux ≫ Linux Kernel Version4.10 Updaterc7

Linux ≫ Linux Kernel Version4.10 Updaterc8

Linux ≫ Linux Kernel Version6.10 Updaterc1

Linux ≫ Linux Kernel Version6.10 Updaterc2

Linux ≫ Linux Kernel Version6.10 Updaterc3

Linux ≫ Linux Kernel Version6.10 Updaterc4

Linux ≫ Linux Kernel Version6.10 Updaterc5

Linux ≫ Linux Kernel Version6.10 Updaterc6

Linux ≫ Linux Kernel Version6.10 Updaterc7

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.008

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Es wurden noch keine Informationen zu CWE veröffentlicht.

https://git.kernel.org/stable/c/2bd8534a1b83c65702aec3cab164170f8e584188

Patch

https://git.kernel.org/stable/c/37514a5c1251a8c5c95c323f55050736e7069ac7

Patch

https://git.kernel.org/stable/c/60abea505b726b38232a0ef410d2bd1994a77f78

Patch

https://git.kernel.org/stable/c/647d61aef106dbed9c70447bcddbd4968e67ca64

Patch

https://git.kernel.org/stable/c/9edcf317620d7c6a8354911b69b874cf89716646

Patch

https://git.kernel.org/stable/c/a368ecde8a5055b627749b09c6218ef793043e47

Patch

https://git.kernel.org/stable/c/d09dd21bb5215d583ca9a1cb1464dbc77a7e88cf

Patch

https://git.kernel.org/stable/c/d8418fd083d1b90a6c007cf8dcf81aeae274727b

Patch

https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html

https://nvd.nist.gov/vuln/detail/CVE-2024-41035

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-41035

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-41035

EUVD