CVE-2024-45027: 
Linux Kernel vulnerability analysis and mitigation

A vulnerability in the Linux kernel's USB XHCI driver was discovered and resolved, identified as CVE-2024-45027. The issue occurs in the xhci_mem_cleanup() function when xhci_mem_init() fails before xhci->interrupters is allocated but after xhci->max_interrupters has been set. This vulnerability affects Linux kernel versions from 6.8 up to (excluding) 6.10.7, as well as release candidates 6.11-rc1, 6.11-rc2, and 6.11-rc3 (NVD).

The vulnerability stems from an unconditional dereferencing of xhci->interrupters in the xhci_mem_cleanup() function. When xhci_mem_init() fails early in its execution, it calls xhci_mem_cleanup() to clean up resources, but if the failure occurs at a specific point in the initialization sequence, it leads to an invalid memory access. The issue has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local access requirements and potential high impact on availability (NVD).

The vulnerability can lead to a denial of service condition when exploited. The issue specifically affects the system's ability to properly handle USB device cleanup operations, which could result in system instability or crashes (Kernel Patch).

The issue has been fixed by adding a check for xhci->interrupters being non-NULL before entering the cleanup loop. The fix has been implemented in the Linux kernel through a patch that gates the interrupt freeing loop with an additional condition. Users should update to Linux kernel version 6.10.7 or later to receive the fix (Kernel Patch).