In the Linux kernel, the following vulnerability has been resolved:
usb: xhci: Fix invalid pointer dereference in Etron workaround
This check is performed before prepare_transfer() and prepare_ring(), so
enqueue can already point at the final link TRB of a segment. And indeed
it will, some 0.4% of times this code is called.
Then enqueue + 1 is an invalid pointer. It will crash the kernel right
away or load some junk which may look like a link TRB and cause the real
link TRB to be replaced with a NOOP. This wouldn't end well.
Use a functionally equivalent test which doesn't dereference the pointer
and always gives correct result.
Something has crashed my machine twice in recent days while playing with
an Etron HC, and a control transfer stress test ran for confirmation has
just crashed it again. The same test passes with this patch applied.
References
Configurations
Configuration 1 (hide)
|
History
12 Nov 2025, 21:38
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Linux linux Kernel
Linux |
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.5 |
| References | () https://git.kernel.org/stable/c/0624e29c595b05e7a0e6d1c368f0a05799928e30 - Patch | |
| References | () https://git.kernel.org/stable/c/142273a49f2c315eabdbdf5a71c15e479b75ca91 - Patch | |
| References | () https://git.kernel.org/stable/c/1ea050da5562af9b930d17cbbe9632d30f5df43a - Patch | |
| References | () https://git.kernel.org/stable/c/bce3055b08e303e28a8751f6073066f5c33a0744 - Patch | |
| CPE | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.15:rc1:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.15:rc2:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.15:rc3:*:*:*:*:*:* |
|
| CWE | CWE-476 |
Information
Published : 2025-05-08 07:15
Updated : 2025-11-12 21:38
NVD link : CVE-2025-37813
Mitre link : CVE-2025-37813
CVE.ORG link : CVE-2025-37813
JSON object : View
Products Affected
linux
- linux_kernel
CWE
CWE-476
NULL Pointer Dereference