CVE-2024-41097: usb: atm: cxacru: fix endpoint checking in cxacru_bind()
In the Linux kernel, the following vulnerability has been resolved:
usb: atm: cxacru: fix endpoint checking in cxacru_bind()
Syzbot is still reporting quite an old issue [1] that occurs due to
incomplete checking of present usb endpoints. As such, wrong
endpoints types may be used at urb sumbitting stage which in turn
triggers a warning in usb_submit_urb().
Fix the issue by verifying that required endpoint types are present
for both in and out endpoints, taking into account cmd endpoint type.
Unfortunately, this patch has not been tested on real hardware.
[1] Syzbot report:
usb 1-1: BOGUS urb xfer, pipe 1 != type 3
WARNING: CPU: 0 PID: 8667 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502
Modules linked in:
CPU: 0 PID: 8667 Comm: kworker/0:4 Not tainted 5.14.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
RIP: 0010:usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502
...
Call Trace:
cxacru_cm+0x3c0/0x8e0 drivers/usb/atm/cxacru.c:649
cxacru_card_status+0x22/0xd0 drivers/usb/atm/cxacru.c:760
cxacru_bind+0x7ac/0x11a0 drivers/usb/atm/cxacru.c:1209
usbatm_usb_probe+0x321/0x1ae0 drivers/usb/atm/usbatm.c:1055
cxacru_usb_probe+0xdf/0x1e0 drivers/usb/atm/cxacru.c:1363
usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:517 [inline]
really_probe+0x23c/0xcd0 drivers/base/dd.c:595
__driver_probe_device+0x338/0x4d0 drivers/base/dd.c:747
driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:777
__device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:894
bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427
__device_attach+0x228/0x4a0 drivers/base/dd.c:965
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487
device_add+0xc2f/0x2180 drivers/base/core.c:3354
usb_set_configuration+0x113a/0x1910 drivers/usb/core/message.c:2170
usb_generic_driver_probe+0xba/0x100 drivers/usb/core/generic.c:238
usb_probe_device+0xd9/0x2c0 drivers/usb/core/driver.c:293
Security readout for executives and security teams
Plain-English summary
CVE-2024-41097 is a Linux kernel USB ATM driver bug. The driver did not fully verify required USB endpoint types, so an unsuitable endpoint could reach USB request submission and trigger a kernel warning. The supplied sources do not show active exploitation or a CVSS score.
Executive priority
Treat as a routine kernel maintenance item unless your environment uses USB ATM hardware or exposes untrusted USB devices. Prioritize through standard patch cycles, with faster action for systems accepting physical or peripheral input from untrusted sources.
Technical view
The flaw is in cxacru_bind() in drivers/usb/atm/cxacru.c. Incomplete endpoint validation allowed wrong endpoint types to be used when submitting URBs, producing usb_submit_urb() warnings. The fix verifies required endpoint types for both input and output endpoints, including command endpoint type handling.
Likely exposure
Exposure appears limited to Linux systems that include and use the cxacru USB ATM driver with affected kernel versions or downstream packages. The bundle lists Linux kernel versions and stable fix commits, but does not provide CPEs or asset-specific product names.
Exploitation context
No active exploitation is supported by the supplied sources. The CVE is not marked KEV, and the described evidence is a syzbot kernel warning report. The practical attack preconditions and impact beyond warning/driver misuse are not fully established in the bundle.
Researcher notes
The record lacks CVSS, CWE, CPEs, and confirmed real-hardware testing. The patch note says the fix was not tested on real hardware. Researchers should validate affected branch mappings through kernel stable commits and downstream distro advisories.
Mitigation direction
Update to a kernel containing the referenced stable fix commits.
Use distribution security updates where available, including relevant Debian LTS updates.
If unused, consider disabling or not loading the cxacru USB ATM driver.
Check vendor kernel advisories before applying compensating controls.
Validation and detection
Inventory Linux hosts and embedded systems that load or ship cxacru.
Compare running kernel versions against vendor fixed packages or stable commits.
Review kernel logs for usb_submit_urb warnings involving cxacru or USB ATM.
Confirm patched systems no longer expose the affected driver version.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2024-41097 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.