{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2024-26996","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-02-19T14:20:24.206Z","datePublished":"2024-05-01T05:28:16.652Z","dateUpdated":"2026-01-05T10:35:10.352Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-01-05T10:35:10.352Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error\n\nWhen ncm function is working and then stop usb0 interface for link down,\neth_stop() is called. At this piont, accidentally if usb transport error\nshould happen in usb_ep_enable(), 'in_ep' and/or 'out_ep' may not be enabled.\n\nAfter that, ncm_disable() is called to disable for ncm unbind\nbut gether_disconnect() is never called since 'in_ep' is not enabled.\n\nAs the result, ncm object is released in ncm unbind\nbut 'dev->port_usb' associated to 'ncm->port' is not NULL.\n\nAnd when ncm bind again to recover netdev, ncm object is reallocated\nbut usb0 interface is already associated to previous released ncm object.\n\nTherefore, once usb0 interface is up and eth_start_xmit() is called,\nreleased ncm object is dereferrenced and it might cause use-after-free memory.\n\n[function unlink via configfs]\n  usb0: eth_stop dev->port_usb=ffffff9b179c3200\n  --> error happens in usb_ep_enable().\n  NCM: ncm_disable: ncm=ffffff9b179c3200\n  --> no gether_disconnect() since ncm->port.in_ep->enabled is false.\n  NCM: ncm_unbind: ncm unbind ncm=ffffff9b179c3200\n  NCM: ncm_free: ncm free ncm=ffffff9b179c3200   <-- released ncm\n\n[function link via configfs]\n  NCM: ncm_alloc: ncm alloc ncm=ffffff9ac4f8a000\n  NCM: ncm_bind: ncm bind ncm=ffffff9ac4f8a000\n  NCM: ncm_set_alt: ncm=ffffff9ac4f8a000 alt=0\n  usb0: eth_open dev->port_usb=ffffff9b179c3200  <-- previous released ncm\n  usb0: eth_start dev->port_usb=ffffff9b179c3200 <--\n  eth_start_xmit()\n  --> dev->wrap()\n  Unable to handle kernel paging request at virtual address dead00000000014f\n\nThis patch addresses the issue by checking if 'ncm->netdev' is not NULL at\nncm_disable() to call gether_disconnect() to deassociate 'dev->port_usb'.\nIt's more reasonable to check 'ncm->netdev' to call gether_connect/disconnect\nrather than check 'ncm->port.in_ep->enabled' since it might not be enabled\nbut the gether connection might be established."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/usb/gadget/function/f_ncm.c"],"versions":[{"version":"6b4012a2e4d4702f8fb0ee1db1c0f0b17ab7d41b","lessThan":"7f67c2020cb08499c400abf0fc32c65e4d9a09ca","status":"affected","versionType":"git"},{"version":"6b4012a2e4d4702f8fb0ee1db1c0f0b17ab7d41b","lessThan":"0588bbbd718a8130b98c54518f1e0b569ce60a93","status":"affected","versionType":"git"},{"version":"6b4012a2e4d4702f8fb0ee1db1c0f0b17ab7d41b","lessThan":"f356fd0cbd9c9cbd0854657a80d1608d0d732db3","status":"affected","versionType":"git"},{"version":"6b4012a2e4d4702f8fb0ee1db1c0f0b17ab7d41b","lessThan":"7250326cbb1f4f90391ac511a126b936cefb5bb7","status":"affected","versionType":"git"},{"version":"6b4012a2e4d4702f8fb0ee1db1c0f0b17ab7d41b","lessThan":"6334b8e4553cc69f51e383c9de545082213d785e","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/usb/gadget/function/f_ncm.c"],"versions":[{"version":"4.4","status":"affected"},{"version":"0","lessThan":"4.4","status":"unaffected","versionType":"semver"},{"version":"5.15.157","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.88","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.29","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.8.8","lessThanOrEqual":"6.8.*","status":"unaffected","versionType":"semver"},{"version":"6.9","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.4","versionEndExcluding":"5.15.157"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.4","versionEndExcluding":"6.1.88"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.4","versionEndExcluding":"6.6.29"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.4","versionEndExcluding":"6.8.8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.4","versionEndExcluding":"6.9"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/7f67c2020cb08499c400abf0fc32c65e4d9a09ca"},{"url":"https://git.kernel.org/stable/c/0588bbbd718a8130b98c54518f1e0b569ce60a93"},{"url":"https://git.kernel.org/stable/c/f356fd0cbd9c9cbd0854657a80d1608d0d732db3"},{"url":"https://git.kernel.org/stable/c/7250326cbb1f4f90391ac511a126b936cefb5bb7"},{"url":"https://git.kernel.org/stable/c/6334b8e4553cc69f51e383c9de545082213d785e"}],"title":"usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2024-26996","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-05-10T18:35:08.216292Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-07-05T17:22:50.015Z"}},{"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/7f67c2020cb08499c400abf0fc32c65e4d9a09ca","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/0588bbbd718a8130b98c54518f1e0b569ce60a93","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/f356fd0cbd9c9cbd0854657a80d1608d0d732db3","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/7250326cbb1f4f90391ac511a126b936cefb5bb7","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/6334b8e4553cc69f51e383c9de545082213d785e","tags":["x_transferred"]},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAMSOZXJEPUOXW33WZYWCVAY7Z5S7OOY/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EZ6PJW7VOZ224TD7N4JZNU6KV32ZJ53/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCBZZEC7L7KTWWAS2NLJK6SO3IZIL4WW/"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-04T17:16:00.909Z"}}]}}