CVE-2024-42236

usb: gadget: configfs: Prevent OOB read/write in usb_string_copy()

Description

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: configfs: Prevent OOB read/write in usb_string_copy() Userspace provided string 's' could trivially have the length zero. Left unchecked this will firstly result in an OOB read in the form `if (str[0 - 1] == '\n') followed closely by an OOB write in the form `str[0 - 1] = '\0'`. There is already a validating check to catch strings that are too long. Let's supply an additional check for invalid strings that are too short.

Category

5.5
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.05%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/a444c3fc264119801575ab086e03fb4952f23fd0 patch
https://git.kernel.org/stable/c/c95fbdde87e39e5e0ae27f28bf6711edfb985caa patch
https://git.kernel.org/stable/c/e8474a10c535e6a2024c3b06e37e4a3a23beb490 patch
https://git.kernel.org/stable/c/72b8ee0d9826e8ed00e0bdfce3e46b98419b37ce patch
https://git.kernel.org/stable/c/2d16f63d8030903e5031853e79d731ee5d474e70 patch
https://git.kernel.org/stable/c/d1205033e912f9332c1dbefa812e6ceb0575ce0a patch
https://git.kernel.org/stable/c/eecfefad0953b2f31aaefa058f7f348ff39c4bba patch
https://git.kernel.org/stable/c/6d3c721e686ea6c59e18289b400cc95c76e927e0 patch

Frequently Asked Questions

What is the severity of CVE-2024-42236?
CVE-2024-42236 has been scored as a medium severity vulnerability.
How to fix CVE-2024-42236?
To fix CVE-2024-42236, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-42236 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-42236 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-42236?
CVE-2024-42236 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.