CVE-2024-26659
Description
In the Linux kernel, the following vulnerability has been resolved: xhci: handle isoc Babble and Buffer Overrun events properly xHCI 4.9 explicitly forbids assuming that the xHC has released its ownership of a multi-TRB TD when it reports an error on one of the early TRBs. Yet the driver makes such assumption and releases the TD, allowing the remaining TRBs to be freed or overwritten by new TDs. The xHC should also report completion of the final TRB due to its IOC flag being set by us, regardless of prior errors. This event cannot be recognized if the TD has already been freed earlier, resulting in "Transfer event TRB DMA ptr not part of current TD" error message. Fix this by reusing the logic for processing isoc Transaction Errors. This also handles hosts which fail to report the final completion. Fix transfer length reporting on Babble errors. They may be caused by device malfunction, no guarantee that the buffer has been filled.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
Description kernel: xhci: handle isoc Babble and Buffer Overrun events properly Red Hat statement Red Hat Product Security has classified the severity of this vulnerability as Moderate due to the specific prerequisites required for exploitation. Successful exploitation generally necessitates local access to the system with elevated permissions to interact with the Extensible Host Controllerβ¦
Description
kernel: xhci: handle isoc Babble and Buffer Overrun events properly
Red Hat statement
Red Hat Product Security has classified the severity of this vulnerability as Moderate due to the specific prerequisites required for exploitation. Successful exploitation generally necessitates local access to the system with elevated permissions to interact with the Extensible Host Controller Interface (xHCI) driver, which effectively translates to root-level access.
CVSS v3: 4.1 (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H)
Errata / fixed releases
| Product | Package | Advisory | Released |
|---|---|---|---|
| Red Hat Enterprise Linux 8 | kernel-rt-0:4.18.0-553.5.1.rt7.346.el8_10 | RHSA-2024:3627 | 2024-06-05T00:00:00Z |
| Red Hat Enterprise Linux 8 | kernel-0:4.18.0-553.5.1.el8_10 | RHSA-2024:3618 | 2024-06-05T00:00:00Z |
| Red Hat Enterprise Linux 9.4 Extended Update Support | kernel-0:5.14.0-427.81.1.el9_4 | RHSA-2025:13135 | 2025-08-06T00:00:00Z |
Package state
| Product | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 6 | kernel | Out of support scope |
| Red Hat Enterprise Linux 7 | kernel | Out of support scope |
| Red Hat Enterprise Linux 7 | kernel-rt | Out of support scope |
| Red Hat Enterprise Linux 9 | kernel | Affected |
| Red Hat Enterprise Linux 9 | kernel-rt | Fix deferred |
Apply commands
yum update -y kernel-rt
# or:
dnf upgrade -y kernel-rtAffected
| Vendor | Product | Version |
|---|---|---|
| redhat | Red Hat Enterprise Linux 9 | Affected |
OS impact
Linux kernel Affected 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 6.8 | Affected | β |
| β | Affected | 5.10.213 |
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| β | Affected | β |
Debian Mixed 6 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 6.7.7-1 |
| sid | Fixed | 6.7.7-1 |
| forky | Fixed | 6.7.7-1 |
| bullseye | Fixed | 5.10.216-1 |
| bookworm | Fixed | 6.1.82-1 |
| 10.0 | Affected | β |
AlmaLinux Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 8 | Fixed | kernel-abi-stablelists-4.18.0-553.5.1.el8_10.noarch.rpm |
Red Hat Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 8 | Fixed | β |
Rocky Linux Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 8 | Fixed | β |
References
- https://git.kernel.org/stable/c/2aa7bcfdbb46241c701811bbc0d64d7884e3346c
- https://git.kernel.org/stable/c/2e3ec80ea7ba58bbb210e83b5a0afefee7c171d3
- https://git.kernel.org/stable/c/418456c0ce56209610523f21734c5612ee634134
- https://git.kernel.org/stable/c/696e4112e5c1ee61996198f0ebb6ca3fab55166e
- https://git.kernel.org/stable/c/7c4650ded49e5b88929ecbbb631efb8b0838e811
- https://git.kernel.org/stable/c/f5e7ffa9269a448a720e21f1ed1384d118298c97
- https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
- https://cert-portal.siemens.com/productcert/html/ssa-265688.html
- https://errata.rockylinux.org/RLSA-2024:3627
- https://errata.rockylinux.org/RLSA-2024:3618
- https://www.suse.com/security/cve/CVE-2024-26659.html
- https://security-tracker.debian.org/tracker/CVE-2024-26659
- https://access.redhat.com/errata/RHSA-2024:3618
- https://bugzilla.redhat.com/2250843
- https://bugzilla.redhat.com/2257406
- https://bugzilla.redhat.com/2263875
- https://bugzilla.redhat.com/2265271
- https://bugzilla.redhat.com/2265646
- https://bugzilla.redhat.com/2265654
- https://bugzilla.redhat.com/2265833
- https://bugzilla.redhat.com/2266296
- https://bugzilla.redhat.com/2266446
- https://bugzilla.redhat.com/2266746
- https://bugzilla.redhat.com/2266841
- https://bugzilla.redhat.com/2267038
CWEs
CWE-787
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.