CVE-2024-57981

usb: xhci: Fix NULL pointer dereference on certain command aborts

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Fix NULL pointer dereference on certain command aborts If a command is queued to the final usable TRB of a ring segment, the
enqueue pointer is advanced to the subsequent link TRB and no further.
If the command is later aborted, when the abort completion is handled
the dequeue pointer is advanced to the first TRB of the next segment. If no further commands are queued, xhci_handle_stopped_cmd_ring() sees
the ring pointers unequal and assumes that there is a pending command,
so it calls xhci_mod_cmd_timer() which crashes if cur_cmd was NULL. Don't attempt timer setup if cur_cmd is NULL. The subsequent doorbell
ring likely is unnecessary too, but it's harmless. Leave it alone. This is probably Bug 219532, but no confirmation has been received. The issue has been independently reproduced and confirmed fixed using
a USB MCU programmed to NAK the Status stage of SET_ADDRESS forever.
Everything continued working normally after several prevented crashes.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2025-02-27 CVE Reserved
2025-02-27 CVE Published
2025-02-27 CVE Updated
---------- EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (6)

URL	Tag	Source
https://git.kernel.org/stable/c/c311e391a7efd101250c0e123286709b7e736249	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/4ff18870af793ce2034a6ad746e91d0a3d985b88	2025-02-21
https://git.kernel.org/stable/c/b649f0d5bc256f691c7d234c3986685d54053de1	2025-02-08
https://git.kernel.org/stable/c/ae069cd2ba09a2bd6a87a68c59ef0b7ea39cd641	2025-02-08
https://git.kernel.org/stable/c/0ce5c0dac768be14afe2426101b568a0f66bfc4d	2025-02-08
https://git.kernel.org/stable/c/1e0a19912adb68a4b2b74fd77001c96cd83eb073	2024-12-27

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.16 < 6.1.129 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.16 < 6.1.129"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.16 < 6.6.76 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.16 < 6.6.76"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.16 < 6.12.13 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.16 < 6.12.13"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.16 < 6.13.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.16 < 6.13.2"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.16 < 6.14-rc1 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.16 < 6.14-rc1"		en		Affected