CVE-2024-57981

MEDIUM EPSS 13.1%
Published Feb 27, 20251y ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Feb 27, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Fix NULL pointer dereference on certain command aborts If a command is queued to the final usable TRB of a ring segment, the enqueue pointer is advanced to the subsequent link TRB and no further. If the command is later aborted, when the abort completion is handled the dequeue pointer is advanced to the first TRB of the next segment. If no further commands are queued, xhci_handle_stopped_cmd_ring() sees the ring pointers unequal and assumes that there is a pending command, so it calls xhci_mod_cmd_timer() which crashes if cur_cmd was NULL. Don't attempt timer setup if cur_cmd is NULL. The subsequent doorbell ring likely is unnecessary too, but it's harmless. Leave it alone. This is probably Bug 219532, but no confirmation has been received. The issue has been independently reproduced and confirmed fixed using a USB MCU programmed to NAK the Status stage of SET_ADDRESS forever. Everything continued working normally after several prevented crashes.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
13.1% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-476 NULL Pointer Dereference Memory Safety

Affected Products 4

VendorProductVersionRange
linuxlinux_kernel*≥3.16  –  <6.1.129
linuxlinux_kernel*≥6.2  –  <6.6.76
linuxlinux_kernel*≥6.7  –  <6.12.13
linuxlinux_kernel*≥6.13  –  <6.13.2

References 12

  • cert-portal.siemens.com https://cert-portal.siemens.com/productcert/html/ssa-265688.html
  • cert-portal.siemens.com https://cert-portal.siemens.com/productcert/html/ssa-503939.html
  • git.kernel.org https://git.kernel.org/stable/c/0ce5c0dac768be14afe2426101b568a0f66bfc4d
    Mailing ListPatch
  • git.kernel.org https://git.kernel.org/stable/c/1e0a19912adb68a4b2b74fd77001c96cd83eb073
    Mailing ListPatch
  • git.kernel.org https://git.kernel.org/stable/c/4ff18870af793ce2034a6ad746e91d0a3d985b88
    Mailing ListPatch
  • git.kernel.org https://git.kernel.org/stable/c/ae069cd2ba09a2bd6a87a68c59ef0b7ea39cd641
    Mailing ListPatch
  • git.kernel.org https://git.kernel.org/stable/c/b44253956407046e5907d4d72c8fa5b93ae94485
  • git.kernel.org https://git.kernel.org/stable/c/b649f0d5bc256f691c7d234c3986685d54053de1
    Mailing ListPatch
  • git.kernel.org https://git.kernel.org/stable/c/cf30300a216a4f8dce94e11781a866a09d4b50d4
  • git.kernel.org https://git.kernel.org/stable/c/fd8bfaeba4a85b14427899adec0efb3954300653
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/0ce5c0dac768be14afe2426101b568a0f66bfc4d
    Mailing ListPatch
  • git.kernel.org https://git.kernel.org/stable/c/1e0a19912adb68a4b2b74fd77001c96cd83eb073
    Mailing ListPatch
  • git.kernel.org https://git.kernel.org/stable/c/4ff18870af793ce2034a6ad746e91d0a3d985b88
    Mailing ListPatch
  • git.kernel.org https://git.kernel.org/stable/c/ae069cd2ba09a2bd6a87a68c59ef0b7ea39cd641
    Mailing ListPatch
  • git.kernel.org https://git.kernel.org/stable/c/b649f0d5bc256f691c7d234c3986685d54053de1
    Mailing ListPatch