CVE-2024-41097

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 5.14.0-rc4-syzkaller

Description The issue occurs due to incomplete checking of present USB endpoints, which can lead to wrong endpoint types being used at the URB submitting stage. This triggers a warning in usb submit urb(). The problem is resolved by verifying that required endpoint types are present for both in and out endpoints, taking into account the cmd endpoint type. Unfortunately, this patch has not been tested on real hardware.

Recommendations To resolve the issue, update the Linux kernel to a version that includes the fix for the endpoint checking in cxacru bind(). As a temporary workaround, consider disabling the cxacru bind() function until a patch is available. Restrict access to the vulnerable module cxacru to minimize the risk of exploitation. Avoid using the usb submit urb() function with unverified endpoint types until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.