LiveActive security incident?Get immediate response
CVE Record

CVE-2024-41097: usb: atm: cxacru: fix endpoint checking in cxacru_bind()

In the Linux kernel, the following vulnerability has been resolved: usb: atm: cxacru: fix endpoint checking in cxacru_bind() Syzbot is still reporting quite an old issue [1] that occurs due to incomplete checking of present usb endpoints. As such, wrong endpoints types may be used at urb sumbitting stage which in turn triggers a warning in usb_submit_urb(). Fix the issue by verifying that required endpoint types are present for both in and out endpoints, taking into account cmd endpoint type. Unfortunately, this patch has not been tested on real hardware. [1] Syzbot report: usb 1-1: BOGUS urb xfer, pipe 1 != type 3 WARNING: CPU: 0 PID: 8667 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502 Modules linked in: CPU: 0 PID: 8667 Comm: kworker/0:4 Not tainted 5.14.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: usb_hub_wq hub_event RIP: 0010:usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502 ... Call Trace: cxacru_cm+0x3c0/0x8e0 drivers/usb/atm/cxacru.c:649 cxacru_card_status+0x22/0xd0 drivers/usb/atm/cxacru.c:760 cxacru_bind+0x7ac/0x11a0 drivers/usb/atm/cxacru.c:1209 usbatm_usb_probe+0x321/0x1ae0 drivers/usb/atm/usbatm.c:1055 cxacru_usb_probe+0xdf/0x1e0 drivers/usb/atm/cxacru.c:1363 usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:517 [inline] really_probe+0x23c/0xcd0 drivers/base/dd.c:595 __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:747 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:777 __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:894 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427 __device_attach+0x228/0x4a0 drivers/base/dd.c:965 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487 device_add+0xc2f/0x2180 drivers/base/core.c:3354 usb_set_configuration+0x113a/0x1910 drivers/usb/core/message.c:2170 usb_generic_driver_probe+0xba/0x100 drivers/usb/core/generic.c:238 usb_probe_device+0xd9/0x2c0 drivers/usb/core/driver.c:293

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

CVE-2024-41097 is a Linux kernel USB ATM driver bug. The driver did not fully verify required USB endpoint types, so an unsuitable endpoint could reach USB request submission and trigger a kernel warning. The supplied sources do not show active exploitation or a CVSS score.

Executive priority

Treat as a routine kernel maintenance item unless your environment uses USB ATM hardware or exposes untrusted USB devices. Prioritize through standard patch cycles, with faster action for systems accepting physical or peripheral input from untrusted sources.

Technical view

The flaw is in cxacru_bind() in drivers/usb/atm/cxacru.c. Incomplete endpoint validation allowed wrong endpoint types to be used when submitting URBs, producing usb_submit_urb() warnings. The fix verifies required endpoint types for both input and output endpoints, including command endpoint type handling.

Likely exposure

Exposure appears limited to Linux systems that include and use the cxacru USB ATM driver with affected kernel versions or downstream packages. The bundle lists Linux kernel versions and stable fix commits, but does not provide CPEs or asset-specific product names.

Exploitation context

No active exploitation is supported by the supplied sources. The CVE is not marked KEV, and the described evidence is a syzbot kernel warning report. The practical attack preconditions and impact beyond warning/driver misuse are not fully established in the bundle.

Researcher notes

The record lacks CVSS, CWE, CPEs, and confirmed real-hardware testing. The patch note says the fix was not tested on real hardware. Researchers should validate affected branch mappings through kernel stable commits and downstream distro advisories.

Mitigation direction

  • Update to a kernel containing the referenced stable fix commits.
  • Use distribution security updates where available, including relevant Debian LTS updates.
  • If unused, consider disabling or not loading the cxacru USB ATM driver.
  • Check vendor kernel advisories before applying compensating controls.

Validation and detection

  • Inventory Linux hosts and embedded systems that load or ship cxacru.
  • Compare running kernel versions against vendor fixed packages or stable commits.
  • Review kernel logs for usb_submit_urb warnings involving cxacru or USB ATM.
  • Confirm patched systems no longer expose the affected driver version.
Prepared
Confidence
medium
Sources
11

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2024-41097 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
2ADP providers
10Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux902ffc3c707c1d459ea57428a619a807cbe412f9, 902ffc3c707c1d459ea57428a619a807cbe412f9, 902ffc3c707c1d459ea57428a619a807cbe412f9, 902ffc3c707c1d459ea57428a619a807cbe412f9, 902ffc3c707c1d459ea57428a619a807cbe412f9, 902ffc3c707c1d459ea57428a619a807cbe412f9, 902ffc3c707c1d459ea57428a619a807cbe412f9, 902ffc3c707c1d459ea57428a619a807cbe412f9, aef30a0bfdf6c10565285fff1ae8400b34ee0d81, 2.6.35.5unaffected
LinuxLinux2.6.36, 0, 4.19.317, 5.4.279, 5.10.221, 5.15.162, 6.1.97, 6.6.37, 6.9.8, 6.10affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.