LiveActive security incident?Get immediate response
CVE Record

CVE-2024-44960: usb: gadget: core: Check for unset descriptor

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: core: Check for unset descriptor Make sure the descriptor has been set before looking at maxpacket. This fixes a null pointer panic in this case. This may happen if the gadget doesn't properly set up the endpoint for the current speed, or the gadget descriptors are malformed and the descriptor for the speed/endpoint are not found. No current gadget driver is known to have this problem, but this may cause a hard-to-find bug during development of new gadgets.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

CVE-2024-44960 is a Linux kernel USB gadget flaw that can cause a null pointer panic when a USB endpoint descriptor is missing or malformed. The public record describes a crash condition, not data theft or remote code execution. No active exploitation is cited, and no current gadget driver was known to trigger it.

Executive priority

Treat this as targeted operational risk, not broad emergency risk, unless your products use Linux USB gadget mode. Prioritize embedded devices, appliances, and development builds where a kernel panic could affect availability or certification timelines.

Technical view

The Linux USB gadget core accessed an endpoint descriptor's maxpacket value without first confirming that the descriptor was set. If gadget setup for the current speed is incomplete, or descriptors are malformed, this can cause a kernel null pointer panic. Stable kernel commits add the missing descriptor check.

Likely exposure

Exposure is most relevant to Linux systems using USB gadget functionality, especially embedded, appliance, development, or OTG-style devices. General-purpose servers that do not use USB gadget mode are less likely to be exposed based on the provided description.

Exploitation context

The bundle does not cite public exploitation, CISA KEV listing, exploit code, or known affected in-tree gadget drivers. The described impact is a kernel panic under malformed or incomplete USB gadget descriptor conditions, especially during development of new gadget functions.

Researcher notes

The strongest evidence supports availability impact through null pointer panic. Severity, CVSS, and CWE are absent in the bundle. The CVE text explicitly says no current gadget driver is known to have this problem, which materially lowers confidence in broad exploitability.

Mitigation direction

  • Update to a kernel or distribution package containing the stable USB gadget fix.
  • Apply Debian LTS kernel updates where Debian advisories apply.
  • Check vendor advisories for embedded or appliance products using Linux USB gadget mode.
  • Review custom gadget code for complete endpoint descriptors per supported USB speed.

Validation and detection

  • Inventory Linux kernel versions against the affected and fixed version ranges.
  • Identify systems that enable USB gadget functionality or custom gadget drivers.
  • Confirm distribution changelogs mention CVE-2024-44960 or the linked stable commits.
  • For custom gadgets, verify endpoint descriptors are present for each supported speed.
Prepared
Confidence
medium
Sources
12

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2024-44960 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
3ADP providers
14Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
CVECVE Program Container
siemens-SADPADP container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxd1c188d330ca33cc35d1590441ba276f31144299, 54f83b8c8ea9b22082a496deadf90447a326954e, 54f83b8c8ea9b22082a496deadf90447a326954e, 54f83b8c8ea9b22082a496deadf90447a326954e, 54f83b8c8ea9b22082a496deadf90447a326954e, 54f83b8c8ea9b22082a496deadf90447a326954e, 54f83b8c8ea9b22082a496deadf90447a326954e, 54f83b8c8ea9b22082a496deadf90447a326954e, d7e3f2fe01372eb914d0e451f0e7a46cbcb98f9e, 85c9ece11264499890d0e9f0dee431ac1bda981c, fc71e39a6c07440e6968227f3db1988f45d7a7b7, 94f5de2eefae22c449e367c2dacafe869af73e3f, 8212b44b7109bd30dbf7eb7f5ecbbc413757a7d7, 4.19.82, 3.16.80, 4.4.199, 4.9.199, 4.14.152, 5.3.9unaffected
LinuxLinux5.4, 0, 4.19.320, 5.4.282, 5.10.224, 5.15.165, 6.1.105, 6.6.46, 6.10.5, 6.11affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.