LiveActive security incident?Get immediate response
CVE Record

CVE-2024-26997: usb: dwc2: host: Fix dereference issue in DDMA completion flow.

In the Linux kernel, the following vulnerability has been resolved: usb: dwc2: host: Fix dereference issue in DDMA completion flow. Fixed variable dereference issue in DDMA completion flow.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

CVE-2024-26997 is a Linux kernel bug in the DWC2 USB host driver. The public record says a variable dereference issue was fixed in the DDMA completion flow. Business urgency is unclear because no CVSS score, CWE, impact detail, or active exploitation evidence is provided.

Executive priority

Handle through normal kernel patch governance, with higher priority for fleets using USB host capabilities on embedded Linux. There is not enough public evidence to justify emergency response, but missing severity data means unsupported or appliance kernels should be checked promptly.

Technical view

The issue is in the Linux kernel usb/dwc2 host path, specifically DDMA completion handling. Upstream stable commits are referenced as fixes across maintained kernel branches. The source bundle does not define the exact bad dereference, attacker prerequisites, privilege boundary, or whether impact is denial of service, memory corruption, or another failure mode.

Likely exposure

Exposure is most plausible on Linux systems that use the dwc2 USB host controller driver, often embedded or ARM-based platforms. Internet-facing exposure is not indicated. Exact affected kernel ranges require mapping local kernel versions and vendor backports against upstream stable fixes.

Exploitation context

The source bundle does not report exploitation in the wild, and KEV is false. No public source in the bundle provides exploitability details, trigger conditions, or proof-of-concept status. Treat this as a kernel maintenance risk until vendor advisories clarify impact.

Researcher notes

The useful research path is patch diff review across the listed stable commits and platform triage for dwc2/DDMA enablement. The public CVE text is sparse, so avoid assuming attacker control, impact class, or exploitability without additional vendor or upstream maintainer evidence.

Mitigation direction

  • Check your Linux distribution or device vendor advisory for CVE-2024-26997 fixes.
  • Update to a kernel containing the referenced upstream stable dwc2 fixes.
  • Prioritize embedded, appliance, and OT devices using dwc2 USB host functionality.
  • Track Debian LTS advisories if Debian-based kernels are in scope.

Validation and detection

  • Inventory kernels and hardware using the dwc2 USB host driver.
  • Compare kernel package changelogs against CVE-2024-26997 or the referenced stable commits.
  • Confirm vendor backport status rather than relying only on version numbers.
  • Review logs for USB host controller instability if dwc2 devices are deployed.
Prepared
Confidence
medium
Sources
12

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2024-26997 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
2ADP providers
11Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
CVECVE Program Container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxdca1dc1e99e09e7b8eaccb55d6aecb87d9cb8ecd, 693bbbccd9c774adacaf03ae9fcbb33b66b1ffc4, db4fa0c8e811676a7bfe8363a01e70ee601e75f7, 32d3f2f108ebcaf9bd9fc06095c776cb73add034, bc48eb1b53ce977d17d51caa574bd81064a117a2, 8d310e5d702c903a7ac95fb5dd248f046b39db00, 8b7c57ab6f6bc6bfee87e929cab6e6dac351606b, b258e42688501cadb1a6dd658d6f015df9f32d8f, c4046e703e0083c8d2031cce02f2479e9ba2c166, 6.7.12unaffected
LinuxLinux4.19.312, 5.4.274, 5.10.215, 5.15.154, 6.1.84, 6.6.24, 6.8.3unaffected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.