CVE-2024-44960: usb: gadget: core: Check for unset descriptor
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: core: Check for unset descriptor
Make sure the descriptor has been set before looking at maxpacket.
This fixes a null pointer panic in this case.
This may happen if the gadget doesn't properly set up the endpoint
for the current speed, or the gadget descriptors are malformed and
the descriptor for the speed/endpoint are not found.
No current gadget driver is known to have this problem, but this
may cause a hard-to-find bug during development of new gadgets.
Security readout for executives and security teams
Plain-English summary
CVE-2024-44960 is a Linux kernel USB gadget flaw that can cause a null pointer panic when a USB endpoint descriptor is missing or malformed. The public record describes a crash condition, not data theft or remote code execution. No active exploitation is cited, and no current gadget driver was known to trigger it.
Executive priority
Treat this as targeted operational risk, not broad emergency risk, unless your products use Linux USB gadget mode. Prioritize embedded devices, appliances, and development builds where a kernel panic could affect availability or certification timelines.
Technical view
The Linux USB gadget core accessed an endpoint descriptor's maxpacket value without first confirming that the descriptor was set. If gadget setup for the current speed is incomplete, or descriptors are malformed, this can cause a kernel null pointer panic. Stable kernel commits add the missing descriptor check.
Likely exposure
Exposure is most relevant to Linux systems using USB gadget functionality, especially embedded, appliance, development, or OTG-style devices. General-purpose servers that do not use USB gadget mode are less likely to be exposed based on the provided description.
Exploitation context
The bundle does not cite public exploitation, CISA KEV listing, exploit code, or known affected in-tree gadget drivers. The described impact is a kernel panic under malformed or incomplete USB gadget descriptor conditions, especially during development of new gadget functions.
Researcher notes
The strongest evidence supports availability impact through null pointer panic. Severity, CVSS, and CWE are absent in the bundle. The CVE text explicitly says no current gadget driver is known to have this problem, which materially lowers confidence in broad exploitability.
Mitigation direction
Update to a kernel or distribution package containing the stable USB gadget fix.
Apply Debian LTS kernel updates where Debian advisories apply.
Check vendor advisories for embedded or appliance products using Linux USB gadget mode.
Review custom gadget code for complete endpoint descriptors per supported USB speed.
Validation and detection
Inventory Linux kernel versions against the affected and fixed version ranges.
Identify systems that enable USB gadget functionality or custom gadget drivers.
Confirm distribution changelogs mention CVE-2024-44960 or the linked stable commits.
For custom gadgets, verify endpoint descriptors are present for each supported speed.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2024-44960 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.