CVE-2024-26715: usb: dwc3: gadget: Fix NULL pointer dereference in dwc3_gadget_suspend
In the Linux kernel, the following vulnerability has been resolved:
usb: dwc3: gadget: Fix NULL pointer dereference in dwc3_gadget_suspend
In current scenario if Plug-out and Plug-In performed continuously
there could be a chance while checking for dwc->gadget_driver in
dwc3_gadget_suspend, a NULL pointer dereference may occur.
Call Stack:
CPU1: CPU2:
gadget_unbind_driver dwc3_suspend_common
dwc3_gadget_stop dwc3_gadget_suspend
dwc3_disconnect_gadget
CPU1 basically clears the variable and CPU2 checks the variable.
Consider CPU1 is running and right before gadget_driver is cleared
and in parallel CPU2 executes dwc3_gadget_suspend where it finds
dwc->gadget_driver which is not NULL and resumes execution and then
CPU1 completes execution. CPU2 executes dwc3_disconnect_gadget where
it checks dwc->gadget_driver is already NULL because of which the
NULL pointer deference occur.
Security readout for executives and security teams
Plain-English summary
CVE-2024-26715 is a Linux kernel crash bug in the DWC3 USB gadget driver. Rapid USB unplug and replug activity during suspend or driver shutdown can race two code paths, leaving one path to use a cleared driver pointer. The likely business impact is local device instability or denial of service, not confirmed remote compromise.
Executive priority
Prioritize patching for products or fleets that expose USB gadget functionality, because this can crash affected devices. It is not currently supported as an internet-scale emergency from the supplied evidence, but unmanaged embedded Linux devices may have long patch cycles and operational impact.
Technical view
The flaw is a NULL pointer dereference in dwc3_gadget_suspend(). A race between gadget_unbind_driver/dwc3_gadget_stop and dwc3_suspend_common/dwc3_gadget_suspend can clear dwc->gadget_driver after a prior non-NULL check, leading dwc3_disconnect_gadget to dereference NULL. Linux marks this resolved with stable kernel commits.
Likely exposure
Exposure is most relevant to Linux systems using the DWC3 USB controller in gadget/device mode, especially embedded, mobile, appliance, OT, or development boards where USB connect/disconnect and suspend events occur. Generic servers without DWC3 gadget functionality are less likely exposed.
Exploitation context
The supplied sources do not show KEV listing, public exploitation, CVSS, or exploit maturity. The described trigger depends on timing around USB plug-out/plug-in, suspend, and gadget driver unbind paths, so treat this as a reliability and denial-of-service risk unless vendor evidence says otherwise.
Researcher notes
Evidence is limited to the CVE record and Linux stable commit references. No CWE, CVSS, exploit status, or detailed vendor matrix is provided. Focus research on confirming affected kernel branches, downstream backports, DWC3 gadget enablement, and whether crash-only behavior holds for target hardware.
Mitigation direction
Update to a vendor kernel containing the referenced stable fixes.
Prioritize devices using DWC3 USB gadget or device mode.
Check Linux distribution or device-vendor advisories for backported patches.
If update is delayed, reduce unnecessary USB gadget exposure where feasible.
Avoid claiming remediation complete without confirming the exact backport commit.
Validation and detection
Inventory affected devices for Linux kernel version and DWC3 gadget usage.
Check vendor kernel changelogs for CVE-2024-26715 or the referenced commits.
Confirm patched builds include the dwc3 gadget suspend race fix.
Review crash logs for NULL dereferences in dwc3_gadget_suspend or dwc3_disconnect_gadget.
Validate that regression testing covers USB disconnect, reconnect, and suspend behavior.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2024-26715 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.