Description

In the Linux kernel, the following vulnerability has been resolved:

usb: xhci: Fix invalid pointer dereference in Etron workaround

This check is performed before prepare_transfer() and prepare_ring(), so
enqueue can already point at the final link TRB of a segment. And indeed
it will, some 0.4% of times this code is called.

Then enqueue + 1 is an invalid pointer. It will crash the kernel right
away or load some junk which may look like a link TRB and cause the real
link TRB to be replaced with a NOOP. This wouldn't end well.

Use a functionally equivalent test which doesn't dereference the pointer
and always gives correct result.

Something has crashed my machine twice in recent days while playing with
an Etron HC, and a control transfer stress test ran for confirmation has
just crashed it again. The same test passes with this patch applied.

Classification

CVE ID: CVE-2025-37813

Affected Products

Vendor: Linux

Product: Linux

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 4.6% (scored less or equal to compared to others)

EPSS Date: 2025-06-06 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-37813
https://git.kernel.org/stable/c/142273a49f2c315eabdbdf5a71c15e479b75ca91
https://git.kernel.org/stable/c/bce3055b08e303e28a8751f6073066f5c33a0744
https://git.kernel.org/stable/c/0624e29c595b05e7a0e6d1c368f0a05799928e30
https://git.kernel.org/stable/c/1ea050da5562af9b930d17cbbe9632d30f5df43a

Timeline