CVE-2024-38394

NameCVE-2024-38394
DescriptionMismatches in interpreting USB authorization policy between GNOME Settings Daemon (GSD) through 46.0 and the Linux kernel's underlying device matching logic allow a physically proximate attacker to access some unintended Linux kernel USB functionality, such as USB device-specific kernel modules and filesystem implementations. NOTE: the GSD supplier indicates that consideration of a mitigation for this within GSD would be in the context of "a new feature, not a CVE."
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gnome-settings-daemon (PTS)bullseye3.38.2-1vulnerable
bookworm43.0-4vulnerable
trixie48.1-1vulnerable
forky, sid49.1-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gnome-settings-daemonsource(unstable)(unfixed)unimportant

Notes

https://pulsesecurity.co.nz/advisories/usbguard-bypass
https://gitlab.gnome.org/GNOME/gnome-settings-daemon/-/issues/780
https://gitlab.gnome.org/GNOME/gnome-settings-daemon/-/issues/780#note_2047914
As per Gnome upstream, consideration of a mitigation for the issue within
gnome-settings-daemon would rather be a new feature but not a vulnerability
fixing. The CVE assignment is disputed upstream with this context.
Search for package or bug name: Reporting problems