January 15th 2023

Researchers found 26 new vulnerabilities in the USB drivers used in Windows, Linux, macOS and other systems.

In our daily life, USB interface can be found everywhere, routers, printers, projectors, PC computers, desktop computers, etc., and its usage frequency is extremely high.

Of course, as the input and output interface of the hardware device, its safety is also very important.

Recently, researchers found 26 new vulnerabilities in the bulk flash drives used in Windows, Linux, macOS and other systems.

In fact, a large amount of users have accepted the fact that “USB devices are not safe”.

USBFuzz attaches fake usb devices

In our previous articles, we have repeatedly introduced USB-related security incidents, such as the BadUSB vulnerability that made billions of USB devices “sleepless”. From keyboards, printers to Usb flash drives, none is spared.

But this time, there are too many vulnerabilities and many major operating systems are compromised.

After further understanding, the research team was led by Hui Peng from Purdue University and Mathias Payer from Swiss Federal Institute of Technology Lausanne. The 26 new vulnerabilities were discovered through the new tool USBFuzz created by them. This type of tools is called “fuzzer” by team members.

It is said that the fuzzer is a gather of multiple applications that can help security researchers enter large amount of invalid, accidental or random data into other applications.

Afterwards, security researchers analyze the behavior of the tested software to discover new bugs, some of which may be used maliciously.

To test bulk flash drives, Peng and Payer jointly developed USBFuzz. It is a new fuzzer that is designed to test USB driver stack of modern operating systems.

USB architecture

According to the researchers, The core part of USBFuzz is that it uses software-emulated USB devices to provide random device data to driver (when they perform IO operations).

In addition, the research team also stated: “Since the emulated USB device works at the device level, it is straightforward to port it to other platforms.”

This allows the research team to test USBFuzz not only on Linux, but also on other operating systems.

Researchers tester USB Fuzz on the 9 latest versions of the Linux kernel: v4.14.81, v4.15, v4.16, v4.17, v4.18.19, v4.19, v4.19, v4.19.1, v4.19.2 and v4.20 -rc2 (the latest version at the time of evaluation). It is also tested on FreeBSD 12 (the latest version), MacOS 10.15 Catalina (the latest version), and Windows (8 and 10 versions with the latest security updates).

After the test, the research team said that with the help of USBFuzz, the team found 26 new bugs in total.

Including one bug found in FreeBSD, three bugs found in MacOS (two caused unplanned restart, one caused the system to freeze), and four were found in Windows 8 and Windows 10 (causing a blue screen of computer crash).

USBFuzz found 26 new bugs

In comparison, the most serious ones were found targeting Linux systems, there were 18 bugs in total.

Among them, 16 are high-risk memory vulnerabilities that target various Linux subsystems (USB core, USB sound and net-work), and 1 targets at USB for Linux.

In response, Peng and Payer stated that they reported these bugs to the Linux kernel team and made patch recommendations to ease the “burden of kernel developers when they fix the reported vulnerabilities.”

At the same time, the research team also stated that 11 out of 18 of the Linux vulnerabilities have received patches since they were first reported last year.

Among these 11 bugs, 10 of them also received CVE, which is the only code assigned to a major security vulnerability.


In this article the author introduces USB2.0, USB 3.0, and USB 4.0. USB 4.0 is 4 times faster than the previous generation

Here Comes Everything You Want to Know About USB flash drive

USB Hub interface in the market is usually 4 or 7. It is easy to understand 4 interfaces

Leave a comment

Back to Top
Product has been added to your cart