CVE-2024-26651 Linux CVE debrief

Who should care

Linux system maintainers, distro security teams, and operators of systems running affected kernel branches, especially where the sr9800 USB network driver is in use.

Technical summary

The supplied kernel fix is narrowly scoped: it adds a check for usbnet_get_endpoints() and returns the error when endpoint discovery fails. According to the NVD corpus, affected Linux kernel CPE ranges include versions from 3.14 before 4.19.311, 4.20 before 5.4.273, 5.5 before 5.10.214, 5.11 before 5.15.153, 5.16 before 6.1.83, 6.2 before 6.6.23, 6.7 before 6.7.11, and 6.8 before 6.8.2. The CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, and NVD does not assign a specific CWE beyond NVD-CWE-noinfo.

Defensive priority

Medium — prioritize patching on affected Linux kernel branches, especially where the sr9800 driver is present or potentially loadable.

Recommended defensive actions

• Update to a kernel release that includes the sr9800 usbnet_get_endpoints() error-handling fix, or apply the vendor backport for your supported branch.
• Confirm whether affected hosts run one of the vulnerable kernel version ranges listed by NVD.
• Track downstream distro advisories and security errata for backported fixes on Debian, Fedora, and vendor-maintained kernels.
• Include this CVE in routine kernel patch compliance checks, since the fix spans multiple long-term support branches.

Evidence notes

The CVE description explicitly states that sr9800 now checks usbnet_get_endpoints() and returns the error if it fails, which indicates a defensive fix for missing error propagation. The NVD record classifies the issue as local, low-privilege, no-interaction, and availability-only (high). The corpus provides affected-version ranges and multiple stable patch references, but no exploit narrative or detailed root-cause analysis beyond the error-checking change.

Official resources