CVE-2025-68287

NONE EPSS 9.3%
Published Dec 16, 20256mo ago · Modified Jun 17, 20261w ago
Find Similar
Published Dec 16, 2025 6mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths This patch addresses a race condition caused by unsynchronized execution of multiple call paths invoking `dwc3_remove_requests()`, leading to premature freeing of USB requests and subsequent crashes. Three distinct execution paths interact with `dwc3_remove_requests()`: Path 1: Triggered via `dwc3_gadget_reset_interrupt()` during USB reset handling. The call stack includes: - `dwc3_ep0_reset_state()` - `dwc3_ep0_stall_and_restart()` - `dwc3_ep0_out_start()` - `dwc3_remove_requests()` - `dwc3_gadget_del_and_unmap_request()` Path 2: Also initiated from `dwc3_gadget_reset_interrupt()`, but through `dwc3_stop_active_transfers()`. The call stack includes: - `dwc3_stop_active_transfers()` - `dwc3_remove_requests()` - `dwc3_gadget_del_and_unmap_request()` Path 3: Occurs independently during `adb root` execution, which triggers USB function unbind and bind operations. The sequence includes: - `gserial_disconnect()` - `usb_ep_disable()` - `dwc3_gadget_ep_disable()` - `dwc3_remove_requests()` with `-ESHUTDOWN` status Path 3 operates asynchronously and lacks synchronization with Paths 1 and 2. When Path 3 completes, it disables endpoints and frees 'out' requests. If Paths 1 or 2 are still processing these requests, accessing freed memory leads to a crash due to use-after-free conditions. To fix this added check for request completion and skip processing if already completed and added the request status for ep0 while queue.

Threat Intelligence

EPSS Exploit Probability
9.3% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

References 7

  • git.kernel.org https://git.kernel.org/stable/c/467add9db13219101f14b6cc5477998b4aaa5fe2
  • git.kernel.org https://git.kernel.org/stable/c/47de14d741cc4057046c9e2f33df1f7828254e6c
  • git.kernel.org https://git.kernel.org/stable/c/67192e8cb7f941b5bba91e4bb290683576ce1607
  • git.kernel.org https://git.kernel.org/stable/c/7cfb62888eba292fa35cd9ddbd28ce595f60e139
  • git.kernel.org https://git.kernel.org/stable/c/afc0e34f161ce61ad351303c46eb57bd44b8b090
  • git.kernel.org https://git.kernel.org/stable/c/e4037689a366743c4233966f0e74bc455820d316
  • git.kernel.org https://git.kernel.org/stable/c/fa5eaf701e576880070b60922200557ae4aa54e1

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.