CVE-2024-46861 - Linux Kernel USBnet ipheth RX Callback Vulnerability – Explained

In early 2024, security researchers discovered a subtle but important vulnerability in the Linux kernel’s USB network driver, specifically in the ipheth driver. Registered under CVE-2024-46861, this flaw could cause a denial-of-service on machines using iPhone tethering over USB. Let’s break down what happened, what the risk was, how it was fixed, and what you need to do.

What is Affected?

The problem was found in the drivers/net/usb/ipheth.c code – this is the driver Linux uses to communicate with Apple iPhones in personal hot spot (“tethering”) mode over USB. It lets a Linux machine use an iPhone’s internet connection via a USB cable.

Any device running a vulnerable version of the Linux kernel (mainline and most distributions before the patch landed in May 2024) could be affected if you use this form of USB tethering.

The Bug: RX Callback Stops Data Flow

Technical background: The driver receives network packets in the form of USB “URBs” (USB Request Blocks). The RX callback is a piece of code that’s called whenever new network data arrives from the phone.

In the vulnerable code, if the RX callback failed for any reason — such as receiving a packet too short, malformed NCM (Network Control Model) frame, or running out of memory — the callback would cause the receive (RX) system to halt. Once this happened, no more network data would be processed until the interface was reset.

Real-World Effect:
A single bad packet could cause the entire network connection to freeze until the affected network device was reloaded or reset. This could be triggered by a buggy phone, malicious tethering client, or a targeted attack (sending malformed packets via USB).

Here’s a simplified snippet of what the pre-patch code looked like

static void ipheth_rcvbulk_callback(struct urb *urb)
{
    struct net_device *net = urb->context;
    int retval;

    if (urb->status) {
        // Error occurred, stop RX engine!
        netif_err(net, ...);
        return;
    }

    if (urb->actual_length < MIN_PAYLOAD_SIZE) {
        // Bad payload, also stop RX
        netif_err(net, ...);
        return;
    }

    // ...normal packet processing...
}

Whenever an error or a short payload was detected, the callback returned without queuing more RX URBs. The device would stop accepting packets, freezing the network.

The Fixed Code – Safer, More Resilient

The fix, applied in this commit, changes the logic so that bad packets are simply skipped, but the driver keeps processing new ones, staying alive in the face of errors.

static void ipheth_rcvbulk_callback(struct urb *urb)
{
    struct net_device *net = urb->context;
    // ... same checks ...

    if (urb->status || urb->actual_length < MIN_PAYLOAD_SIZE) {
        netif_err(net, ...);
        // Instead of bailing out, retry RX:
        goto resubmit;
    }

    // ...normal packet processing...

resubmit:
    retval = usb_submit_urb(urb, GFP_ATOMIC);
    if (retval)
        netif_err(net, ...);
}

Notice how, after an error, the code now immediately re-queues the URB for more packets. This tiny change prevents a single bad packet from killing your network interface.

Exploit Details: How Could This Be Abused?

While this is not a classic “remote code execution” or privilege escalation, the bug could be abused in a couple of ways:

Denial of Service (DoS):

A local attacker (or a malicious USB device) could send a series of malformed packets, causing the kernel’s network interface to hang, losing all connectivity over USB. Recovery required unplugging/re-plugging the cable or resetting the interface.

Persistence:

Since the RX engine stopped on *any* receive failure — even temporarily running out of memory — the interface was far less reliable, and even rare errors would permanently stop data until user intervention.

Researchers have demonstrated “bad USB” cables or tethering apps could exploit similar bugs in the wild.

References and Further Reading

- CVE-2024-46861 at Mitre
- Linux Kernel Patch Commit
- ipheth: Avoid stopping RX on failed callback (kernel.org)

Am I Vulnerable? What Should I Do?

- If you use Linux and ever connect your iPhone for USB tethering, you should update your kernel to 5.10.220+, 5.15.161+, 6.1.92+, 6.6.32+, 6.9.3+ or newer, or your distribution’s latest kernel.
- If you maintain Linux systems where USB devices from untrusted users are plugged in, update as soon as your vendor releases patches.
- For developers, you can see a full diff here.

Conclusion

CVE-2024-46861 is a strong reminder that even “minor” error-handling bugs in kernel drivers can become denial-of-service vectors. The ipheth driver now gracefully recovers from malformed and short packets, making Linux more robust for all USB network users.

If you’re using USB tethering on Linux, update your kernel — and stay safe!


*Exclusive for Stack*, by your friendly neighborhood kernel security nerd.

Timeline

Published on: 09/27/2024 13:15:17 UTC
Last modified on: 12/19/2024 09:24:56 UTC