CVE-2024-26716: usb: core: Prevent null pointer dereference in update_port_device_state

Description

In the Linux kernel, the following vulnerability has been resolved:

usb: core: Prevent null pointer dereference in update_port_device_state

Currently, the function update_port_device_state gets the usb_hub from
udev->parent by calling usb_hub_to_struct_hub.
However, in case the actconfig or the maxchild is 0, the usb_hub would
be NULL and upon further accessing to get port_dev would result in null
pointer dereference.

Fix this by introducing an if check after the usb_hub is populated.

Classification

CVE ID: CVE-2024-26716

Affected Products

Vendor: Linux

Product: Linux

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 5.06% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://git.kernel.org/stable/c/ed85777c640cf9e6920bb1b60ed8cd48e1f4d873
https://git.kernel.org/stable/c/465b545d1d7ef282192ddd4439b08279bdb13f6f
https://git.kernel.org/stable/c/12783c0b9e2c7915a50d5ec829630ff2da50472c

Timeline

2024-12-20 00:33:41 UTC
CVE

usb: core: Prevent null pointer dereference in update_port_device_state