CVE-2024-26964

usb: xhci: Add error handling in xhci_map_urb_for_dma

Description

In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Add error handling in xhci_map_urb_for_dma Currently xhci_map_urb_for_dma() creates a temporary buffer and copies the SG list to the new linear buffer. But if the kzalloc_node() fails, then the following sg_pcopy_to_buffer() can lead to crash since it tries to memcpy to NULL pointer. So return -ENOMEM if kzalloc returns null pointer.

Category

5.5
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.05%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/4a49d24fdec0a802aa686a567a3989a9fdf4e5dd patch
https://git.kernel.org/stable/c/b2c898469dfc388f619c6c972a28466cbb1442ea patch
https://git.kernel.org/stable/c/620b6cf2f1a270f48d38e6b8ce199c1acb3e90f4 patch
https://git.kernel.org/stable/c/962300a360d24c5be5a188cda48da58a37e4304d patch
https://git.kernel.org/stable/c/7b6cc33593d7ccfc3011b290849cfa899db46757 patch
https://git.kernel.org/stable/c/be95cc6d71dfd0cba66e3621c65413321b398052 patch

Frequently Asked Questions

What is the severity of CVE-2024-26964?
CVE-2024-26964 has been scored as a medium severity vulnerability.
How to fix CVE-2024-26964?
To fix CVE-2024-26964, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-26964 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-26964 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-26964?
CVE-2024-26964 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.