#VU102101 NULL pointer dereference in Linux kernel - CVE-2024-56698

Vulnerability identifier: #VU102101

Vulnerability risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-56698

CWE-ID: CWE-476

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the dwc3_prepare_trbs_sg() function in drivers/usb/dwc3/gadget.c. A local user can perform a denial of service (DoS) attack.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Linux kernel: All versions

---

External links
https://git.kernel.org/stable/c/0247da93bf62d33304b7bf97850ebf2a86e06d28
https://git.kernel.org/stable/c/1534f6f69393aac773465d80d31801b554352627
https://git.kernel.org/stable/c/70777a23a54e359cfdfafc625a57cd56434f3859
https://git.kernel.org/stable/c/8ceb21d76426bbe7072cc3e43281e70c0d664cc7
https://git.kernel.org/stable/c/b7c3d0b59213ebeedff63d128728ce0b3d7a51ec
https://git.kernel.org/stable/c/b7fc65f5141c24785dc8c19249ca4efcf71b3524
https://git.kernel.org/stable/c/c9e72352a10ae89a430449f7bfeb043e75c255d9

---

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.