CVE-2025-37813
usb: xhci: Fix invalid pointer dereference in Etron workaround
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Fix invalid pointer dereference in Etron workaround This check is performed before prepare_transfer() and prepare_ring(), so
enqueue can already point at the final link TRB of a segment. And indeed
it will, some 0.4% of times this code is called. Then enqueue + 1 is an invalid pointer. It will crash the kernel right
away or load some junk which may look like a link TRB and cause the real
link TRB to be replaced with a NOOP. This wouldn't end well. Use a functionally equivalent test which doesn't dereference the pointer
and always gives correct result. Something has crashed my machine twice in recent days while playing with
an Etron HC, and a control transfer stress test ran for confirmation has
just crashed it again. The same test passes with this patch applied.
In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Fix invalid pointer dereference in Etron workaround This check is performed before prepare_transfer() and prepare_ring(), so enqueue can already point at the final link TRB of a segment. And indeed it will, some 0.4% of times this code is called. Then enqueue + 1 is an invalid pointer. It will crash the kernel right away or load some junk which may look like a link TRB and cause the real link TRB to be replaced with a NOOP. This wouldn't end well. Use a functionally equivalent test which doesn't dereference the pointer and always gives correct result. Something has crashed my machine twice in recent days while playing with an Etron HC, and a control transfer stress test ran for confirmation has just crashed it again. The same test passes with this patch applied.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2025-04-16 CVE Reserved
- 2025-05-08 CVE Published
- 2025-05-08 CVE Updated
- 2025-05-08 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (8)
| URL | Tag | Source |
|---|---|---|
| https://git.kernel.org/stable/c/fbc0a0c7718a6cb1dc5e0811a4f88a2b1deedfa1 | Vuln. Introduced | |
| https://git.kernel.org/stable/c/9258c9ed32294ce3a4b58c9d92fc49ba030d35c9 | Vuln. Introduced | |
| https://git.kernel.org/stable/c/5e1c67abc9301d05130b7e267c204e7005503b33 | Vuln. Introduced | |
| https://git.kernel.org/stable/c/4725344ca645a98a9d8e45e25b01a2244de5b8aa | Vuln. Introduced |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.6.66 < 6.6.89 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6.66 < 6.6.89" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.12.2 < 6.12.26 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.12.2 < 6.12.26" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.13 < 6.14.5 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.13 < 6.14.5" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.13 < 6.15-rc4 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.13 < 6.15-rc4" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 6.11.11 Search vendor "Linux" for product "Linux Kernel" and version "6.11.11" | en |
Affected
| ||||||