CVE-2024-26659 Linux CVE debrief

Who should care

Administrators and vendors running Linux kernels with xHCI USB support, especially systems that expose USB devices to untrusted users or rely on stable handling of isochronous USB traffic. Kernel maintainers and distro security teams should prioritize patched releases for affected kernel branches.

Technical summary

The NVD description and kernel fix references indicate a flaw in xHCI processing for isochronous Babble and Buffer Overrun events. The driver could release a multi-TRB transfer descriptor too early after an error on an early TRB, even though xHCI 4.9 does not allow assuming the controller has given up ownership. That can allow remaining TRBs to be freed or overwritten and can also prevent recognition of the final completion event when IOC is set. The published fix reuses logic from isochronous Transaction Error handling and corrects transfer-length reporting for Babble errors. NVD classifies the weakness as CWE-787.

Defensive priority

High for systems that use affected Linux kernel branches and depend on USB xHCI reliability; otherwise medium. The issue is not listed as KEV, but the availability impact and broad kernel exposure justify timely patching.

Recommended defensive actions

• Upgrade to a kernel release that includes the vendor fixes referenced in the NVD record.
• If you maintain long-term-support kernels, verify that the corresponding stable backports are applied in your branch.
• Review systems in the affected version ranges listed by NVD, including the Linux kernel versions ending before 5.10.213, 5.15.152, 6.1.82, 6.6.17, and 6.7.5, as well as 6.8-rc1 and 6.8-rc2.
• Apply distro security advisories and vendor kernels that incorporate the upstream stable patches.
• Prioritize patching hosts that rely on USB devices for production workloads or that are exposed to local users with low privileges.
• Validate post-update USB/xHCI stability on systems where isochronous devices are important, such as audio or video capture hardware.

Evidence notes

This debrief is based only on the supplied NVD record, its embedded kernel patch references, and the Debian LTS announcement link. The issue date used here is the CVE publishedAt timestamp (2024-04-02T07:15:42.980Z), not the later modified date. The NVD description explicitly states the xHCI isoc Babble/Buffer Overrun handling problem, the transfer-descriptor lifetime issue, and the transfer-length reporting fix. NVD assigns CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H and CWE-787.

Official resources