CVE-2024-26600: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-26600 is a vulnerability in the Linux kernel's phy-omap-usb2 driver that was discovered and disclosed on February 26, 2024. The vulnerability affects Linux kernel versions from 3.7.0 up to versions before 4.19.307, 5.4.269, 5.10.210, 5.15.149, 6.1.78, 6.6.17, and 6.7.5. This issue has been assigned a CVSS v3.1 base score of 5.5 (Medium) (NVD).

The vulnerability is a NULL pointer dereference issue in the phy-omap-usb2 driver. The problem occurs when the external PHY working with phy-omap-usb2 does not implement the send_srp() function, but the driver still attempts to call it. This can be triggered when an idle Ethernet gadget attempts to wake up. The issue stems from insufficient checking of function pointers before calling them, specifically the send_srp() and set_vbus() functions, which could be NULL in USB peripheral-only cases (Kernel Patch).

When exploited, this vulnerability can cause a kernel NULL pointer dereference, leading to a system crash (denial of service). The vulnerability has been rated as Medium severity with a CVSS v3.1 score of 5.5, indicating that it requires local access and low privileges to exploit, but can only impact system availability without compromising confidentiality or integrity (NVD).

The vulnerability has been fixed by adding additional checks for send_srp() and set_vbus() function pointers before calling them. The fix has been incorporated into various Linux kernel versions. Users should update their systems to the patched versions: 4.19.307, 5.4.269, 5.10.210, 5.15.149, 6.1.78, 6.6.17, or 6.7.5 or later (NVD).